From ecfc6e1e89719ccf0c9fc6f3dbc6bfd64b875880 Mon Sep 17 00:00:00 2001 From: Eunkyu Lee Date: Sat, 22 Jun 2024 12:09:17 +0000 Subject: [PATCH] Bluetooth: Host: Add missing buffer length check Modified to check the length of the remaining data in buffer before processing the next report. The length check is missing in the cont routine. Signed-off-by: Eunkyu Lee (cherry picked from commit e491f220d823c3dcd44f1e7b13799bb32098632e) --- subsys/bluetooth/host/scan.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/subsys/bluetooth/host/scan.c b/subsys/bluetooth/host/scan.c index 0b61305e2c30e6..91036baacb796b 100644 --- a/subsys/bluetooth/host/scan.c +++ b/subsys/bluetooth/host/scan.c @@ -602,6 +602,24 @@ void bt_hci_le_adv_ext_report(struct net_buf *buf) is_report_complete = data_status == BT_HCI_LE_ADV_EVT_TYPE_DATA_STATUS_COMPLETE; more_to_come = data_status == BT_HCI_LE_ADV_EVT_TYPE_DATA_STATUS_PARTIAL; + if (evt->length > buf->len) { + LOG_WRN("Adv report corrupted (wants %u out of %u)", evt->length, buf->len); + + net_buf_reset(buf); + + if (evt_type & BT_HCI_LE_ADV_EVT_TYPE_LEGACY) { + return; + } + + /* Start discarding irrespective of the `more_to_come` flag. We + * assume we may have lost a partial adv report in the truncated + * data. + */ + reassembling_advertiser.state = FRAG_ADV_DISCARDING; + + return; + } + if (evt_type & BT_HCI_LE_ADV_EVT_TYPE_LEGACY) { /* Legacy advertising reports are complete. * Create event immediately.