espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed possible OOB read in smp_br_data_received

Browse Source
This commit is contained in:
Jin Cheng
2025-12-11 12:11:47 +08:00
parent 4466f5dd85
commit 1c0c9c6fbd
1 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/stack/smp/smp_l2c.c
+11
View File
@@ -320,6 +320,12 @@ static void smp_br_data_received(UINT16 channel, BD_ADDR bd_addr, BT_HDR *p_buf)
UINT8 cmd ;
SMP_TRACE_EVENT ("SMDBG l2c %s\n", __func__);
if (p_buf->len < 1) {
SMP_TRACE_WARNING( "Bogus l2cap packet, too short");
osi_free(p_buf);
return;
}
STREAM_TO_UINT8(cmd, p);
/* sanity check */
@@ -331,6 +337,11 @@ static void smp_br_data_received(UINT16 channel, BD_ADDR bd_addr, BT_HDR *p_buf)
/* reject the pairing request if there is an on-going SMP pairing */
if (SMP_OPCODE_PAIRING_REQ == cmd) {
if (p_buf->len != smp_cmd_size_per_spec[cmd]) {
SMP_TRACE_WARNING( "Ignore received command 0x%02x with invalid length %d", cmd, p_buf->len);
osi_free(p_buf);
return;
}
if ((p_cb->state == SMP_STATE_IDLE) && (p_cb->br_state == SMP_BR_STATE_IDLE)) {
p_cb->role = HCI_ROLE_SLAVE;
p_cb->smp_over_br = TRUE;