fix(bt/bluedroid): fixed an OOB bug in btm_read_tx_power_complete

components/bt/host/bluedroid/stack/btm/btm_acl.c

@@ -2247,7 +2247,7 @@ void BTM_BleGetPeriodicAdvListSize(uint8_t *size)
 ** Returns          void
 **
 *******************************************************************************/
-void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble)
+void btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble)
 {
     tBTM_CMPL_CB            *p_cb = btm_cb.devcb.p_tx_power_cmpl_cb;
     tBTM_TX_POWER_RESULTS   results;
@@ -2260,12 +2260,23 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble)
     btm_cb.devcb.p_tx_power_cmpl_cb = NULL;
 
     if (p_cb) {
+        if (evt_len < 1) {
+            BTM_TRACE_ERROR("Bogus event packet, too short\n");
+            results.status = BTM_ERR_PROCESSING;
+            goto err_out;
+        }
+
         STREAM_TO_UINT8  (results.hci_status, p);
 
         if (results.hci_status == HCI_SUCCESS) {
             results.status = BTM_SUCCESS;
 
             if (!is_ble) {
+                if (evt_len < 1 + 3) {
+                    BTM_TRACE_ERROR("Bogus event packet, too short\n");
+                    results.status = BTM_ERR_PROCESSING;
+                    goto err_out;
+                }
                 STREAM_TO_UINT16 (handle, p);
                 STREAM_TO_UINT8 (results.tx_power, p);
 
@@ -2277,6 +2288,11 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble)
             }
 #if BLE_INCLUDED == TRUE
             else {
+                if (evt_len < 1 + 1) {
+                    BTM_TRACE_ERROR("Bogus event packet, too short\n");
+                    results.status = BTM_ERR_PROCESSING;
+                    goto err_out;
+                }
                 STREAM_TO_UINT8 (results.tx_power, p);
                 memcpy(results.rem_bda, btm_cb.devcb.read_tx_pwr_addr, BD_ADDR_LEN);
             }
@@ -2287,6 +2303,7 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble)
             results.status = BTM_ERR_PROCESSING;
         }
 
+err_out:
         (*p_cb)(&results);
     }
 }

components/bt/host/bluedroid/stack/btm/include/btm_int.h

@@ -1052,7 +1052,7 @@ void         btm_cont_rswitch (tACL_CONN *p,
 tACL_CONN    *btm_handle_to_acl (UINT16 hci_handle);
 void         btm_read_link_policy_complete (UINT8 *p);
 void         btm_read_rssi_complete (UINT8 *p);
-void         btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble);
+void         btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble);
 void         btm_acl_pkt_types_changed(UINT8 status, UINT16 handle, UINT16 pkt_types);
 void         btm_read_link_quality_complete (UINT8 *p);
 tBTM_STATUS  btm_set_packet_types (tACL_CONN *p, UINT16 pkt_types);

components/bt/host/bluedroid/stack/btu/btu_hcif.c

@@ -981,7 +981,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
         break;
 
     case HCI_READ_TRANSMIT_POWER_LEVEL:
-        btm_read_tx_power_complete(p, FALSE);
+        btm_read_tx_power_complete(p, evt_len, FALSE);
         break;
 
     case HCI_CREATE_CONNECTION_CANCEL:
@@ -1049,7 +1049,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
         break;
 
     case HCI_BLE_READ_ADV_CHNL_TX_POWER:
-        btm_read_tx_power_complete(p, TRUE);
+        btm_read_tx_power_complete(p, evt_len, TRUE);
         break;
 
     case HCI_BLE_WRITE_ADV_ENABLE: