From 3e6a58c3d4bd8346da961e4804dfeac042ed4f33 Mon Sep 17 00:00:00 2001 From: Jin Cheng Date: Sat, 11 Oct 2025 19:10:42 +0800 Subject: [PATCH] fix(bt/bluedroid): fixed an OOB bug in btm_read_local_oob_complete --- .../bluedroid/stack/btm/btm_ble_privacy.c | 1 + .../bt/host/bluedroid/stack/btm/btm_sec.c | 19 +++++++++++++++++-- .../bluedroid/stack/btm/include/btm_int.h | 4 ++-- .../bt/host/bluedroid/stack/btu/btu_hcif.c | 2 +- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c index 267ee83175..032c97fa33 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c @@ -227,6 +227,7 @@ void btm_ble_update_resolving_list(BD_ADDR pseudo_bda, BOOLEAN add) void btm_ble_clear_resolving_list_complete(UINT8 *p, UINT16 evt_len) { UINT8 status = 0; + STREAM_TO_UINT8(status, p); BTM_TRACE_DEBUG("%s status=%d", __func__, status); diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index 2b5ed29ff7..aabb56b9a4 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -3795,13 +3795,27 @@ void btm_rem_oob_req (UINT8 *p) ** Returns void ** *******************************************************************************/ -void btm_read_local_oob_complete (UINT8 *p) +void btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len) { tBTM_SP_LOC_OOB evt_data; - UINT8 status = *p++; + UINT8 status; + + if (evt_len < 1) { + BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__); + evt_data.status = BTM_ERR_PROCESSING; + goto err_out; + } + + STREAM_TO_UINT8(status, p); BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d\n", status); if (status == HCI_SUCCESS) { + if (evt_len < 1 + 32) { + BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__); + evt_data.status = BTM_ERR_PROCESSING; + goto err_out; + } + evt_data.status = BTM_SUCCESS; STREAM_TO_ARRAY16(evt_data.c, p); STREAM_TO_ARRAY16(evt_data.r, p); @@ -3809,6 +3823,7 @@ void btm_read_local_oob_complete (UINT8 *p) evt_data.status = BTM_ERR_PROCESSING; } +err_out: if (btm_cb.api.p_sp_callback) { (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data); } diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h index ed89f78ed4..69be9fec86 100644 --- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h +++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h @@ -1222,10 +1222,10 @@ tINQ_DB_ENT *btm_inq_db_new (BD_ADDR p_bda); #if BTM_OOB_INCLUDED == TRUE void btm_rem_oob_req (UINT8 *p); -void btm_read_local_oob_complete (UINT8 *p); +void btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len); #else #define btm_rem_oob_req(p) -#define btm_read_local_oob_complete(p) +#define btm_read_local_oob_complete(p, evt_len) #endif void btm_acl_resubmit_page (void); diff --git a/components/bt/host/bluedroid/stack/btu/btu_hcif.c b/components/bt/host/bluedroid/stack/btu/btu_hcif.c index e94819486a..7f8023c064 100644 --- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c +++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c @@ -990,7 +990,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l case HCI_READ_LOCAL_OOB_DATA: #if BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE - btm_read_local_oob_complete(p); + btm_read_local_oob_complete(p, evt_len); #endif break;