Bluetooth: Host: Add missing buffer length check

Modified to check the length of the remaining data in buffer before processing the next report. The length check is missing in the cont routine. Signed-off-by: Eunkyu Lee <mochaccino.00.00@gmail.com> (cherry picked from commit e491f22)
zephyrproject-rtos · Sep 6, 2024 · ecfc6e1 · ecfc6e1
1 parent 6567d6e
commit ecfc6e1
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/scan.c b/subsys/bluetooth/host/scan.c
@@ -602,6 +602,24 @@ void bt_hci_le_adv_ext_report(struct net_buf *buf)
 		is_report_complete = data_status == BT_HCI_LE_ADV_EVT_TYPE_DATA_STATUS_COMPLETE;
 		more_to_come = data_status == BT_HCI_LE_ADV_EVT_TYPE_DATA_STATUS_PARTIAL;
 
+		if (evt->length > buf->len) {
+			LOG_WRN("Adv report corrupted (wants %u out of %u)", evt->length, buf->len);
+
+			net_buf_reset(buf);
+
+			if (evt_type & BT_HCI_LE_ADV_EVT_TYPE_LEGACY) {
+				return;
+			}
+
+			/* Start discarding irrespective of the `more_to_come` flag. We
+			 * assume we may have lost a partial adv report in the truncated
+			 * data.
+			 */
+			reassembling_advertiser.state = FRAG_ADV_DISCARDING;
+
+			return;
+		}
+
 		if (evt_type & BT_HCI_LE_ADV_EVT_TYPE_LEGACY) {
 			/* Legacy advertising reports are complete.
 			 * Create event immediately.