From 3e299a98ecd158bbf446a3a479c7a614cabc8ae4 Mon Sep 17 00:00:00 2001 From: Jin Cheng Date: Mon, 13 Oct 2025 09:18:24 +0800 Subject: [PATCH] fix(bt/bluedroid): fixed an OOB bug in btm_read_tx_power_complete --- .../bt/host/bluedroid/stack/btm/btm_acl.c | 19 ++++++++++++++++++- .../bluedroid/stack/btm/include/btm_int.h | 2 +- .../bt/host/bluedroid/stack/btu/btu_hcif.c | 4 ++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/components/bt/host/bluedroid/stack/btm/btm_acl.c b/components/bt/host/bluedroid/stack/btm/btm_acl.c index 4578e09ce2..b1e3ecb882 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_acl.c +++ b/components/bt/host/bluedroid/stack/btm/btm_acl.c @@ -2247,7 +2247,7 @@ void BTM_BleGetPeriodicAdvListSize(uint8_t *size) ** Returns void ** *******************************************************************************/ -void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble) +void btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble) { tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_tx_power_cmpl_cb; tBTM_TX_POWER_RESULTS results; @@ -2260,12 +2260,23 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble) btm_cb.devcb.p_tx_power_cmpl_cb = NULL; if (p_cb) { + if (evt_len < 1) { + BTM_TRACE_ERROR("Bogus event packet, too short\n"); + results.status = BTM_ERR_PROCESSING; + goto err_out; + } + STREAM_TO_UINT8 (results.hci_status, p); if (results.hci_status == HCI_SUCCESS) { results.status = BTM_SUCCESS; if (!is_ble) { + if (evt_len < 1 + 3) { + BTM_TRACE_ERROR("Bogus event packet, too short\n"); + results.status = BTM_ERR_PROCESSING; + goto err_out; + } STREAM_TO_UINT16 (handle, p); STREAM_TO_UINT8 (results.tx_power, p); @@ -2277,6 +2288,11 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble) } #if BLE_INCLUDED == TRUE else { + if (evt_len < 1 + 1) { + BTM_TRACE_ERROR("Bogus event packet, too short\n"); + results.status = BTM_ERR_PROCESSING; + goto err_out; + } STREAM_TO_UINT8 (results.tx_power, p); memcpy(results.rem_bda, btm_cb.devcb.read_tx_pwr_addr, BD_ADDR_LEN); } @@ -2287,6 +2303,7 @@ void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble) results.status = BTM_ERR_PROCESSING; } +err_out: (*p_cb)(&results); } } diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h index 5b7a2ef130..c840f439d4 100644 --- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h +++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h @@ -1052,7 +1052,7 @@ void btm_cont_rswitch (tACL_CONN *p, tACL_CONN *btm_handle_to_acl (UINT16 hci_handle); void btm_read_link_policy_complete (UINT8 *p); void btm_read_rssi_complete (UINT8 *p); -void btm_read_tx_power_complete (UINT8 *p, BOOLEAN is_ble); +void btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble); void btm_acl_pkt_types_changed(UINT8 status, UINT16 handle, UINT16 pkt_types); void btm_read_link_quality_complete (UINT8 *p); tBTM_STATUS btm_set_packet_types (tACL_CONN *p, UINT16 pkt_types); diff --git a/components/bt/host/bluedroid/stack/btu/btu_hcif.c b/components/bt/host/bluedroid/stack/btu/btu_hcif.c index 9e5e1882d3..b1153d92ca 100644 --- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c +++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c @@ -981,7 +981,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l break; case HCI_READ_TRANSMIT_POWER_LEVEL: - btm_read_tx_power_complete(p, FALSE); + btm_read_tx_power_complete(p, evt_len, FALSE); break; case HCI_CREATE_CONNECTION_CANCEL: @@ -1049,7 +1049,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l break; case HCI_BLE_READ_ADV_CHNL_TX_POWER: - btm_read_tx_power_complete(p, TRUE); + btm_read_tx_power_complete(p, evt_len, TRUE); break; case HCI_BLE_WRITE_ADV_ENABLE: