From 77e3d0a1200b5a3c8c5fbda0cdcf6934e48b8ee1 Mon Sep 17 00:00:00 2001
From: Rahul Tank <rahul.tank@espressif.com>
Date: Mon, 23 Feb 2026 14:04:11 +0530
Subject: [PATCH] fix(nimble): Fix various issues for security/vulnerability in
 host

---
 components/bt/host/nimble/nimble                 |  2 +-
 .../nimble/ble_htp/htp_cent/main/main.c          |  4 ++--
 .../nimble/ble_phy/phy_cent/main/main.c          | 16 +++++++---------
 .../proximity_sensor_cent/main/main.c            | 14 ++++----------
 4 files changed, 14 insertions(+), 22 deletions(-)

diff --git a/components/bt/host/nimble/nimble b/components/bt/host/nimble/nimble
index 6128c09f0b..88217237df 160000
--- a/components/bt/host/nimble/nimble
+++ b/components/bt/host/nimble/nimble
@@ -1 +1 @@
-Subproject commit 6128c09f0b90af95fedc94beb2f6bdadc330714c
+Subproject commit 88217237dfa971c07ba22d4f4a028d1252341645
diff --git a/examples/bluetooth/nimble/ble_htp/htp_cent/main/main.c b/examples/bluetooth/nimble/ble_htp/htp_cent/main/main.c
index 2ee915c563..58c9ae5426 100644
--- a/examples/bluetooth/nimble/ble_htp/htp_cent/main/main.c
+++ b/examples/bluetooth/nimble/ble_htp/htp_cent/main/main.c
@@ -354,8 +354,8 @@ ext_ble_htp_cent_should_connect(const struct ble_gap_ext_disc_desc *disc)
         }
 
         /* Search if HTP UUID is advertised */
-        if (disc->data[offset + 1] == 0x03) {
-            if (disc->data[offset + 2] == 0x09 && disc->data[offset + 3] == 0x18) {
+        if (disc->data[offset] == 0x03 && disc->data[offset + 1] == 0x03) {
+            if ( disc->data[offset + 2] == 0x18 && disc->data[offset + 3] == 0x09 ) {
                 return 1;
             }
         }
diff --git a/examples/bluetooth/nimble/ble_phy/phy_cent/main/main.c b/examples/bluetooth/nimble/ble_phy/phy_cent/main/main.c
index 894022e78d..c05dc3edc9 100644
--- a/examples/bluetooth/nimble/ble_phy/phy_cent/main/main.c
+++ b/examples/bluetooth/nimble/ble_phy/phy_cent/main/main.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -236,7 +236,6 @@ ext_blecent_should_connect(const struct ble_gap_ext_disc_desc *disc)
     int ad_struct_len = 0;
     uint8_t test_addr[6];
     uint32_t peer_addr[6];
-    uint8_t type = 0;
 
     memset(peer_addr, 0x0, sizeof peer_addr);
 
@@ -268,13 +267,12 @@ ext_blecent_should_connect(const struct ble_gap_ext_disc_desc *disc)
         if (!ad_struct_len || (offset + ad_struct_len + 1 > disc->length_data)) {
             break;
         }
-        type = disc->data[offset + 1];
-        if ((type == 0x02 || type == 0x03) && ad_struct_len >= 3) {
-            /* Scan UUID bytes for LE_PHY_UUID16 (little-endian: 0xF2 0xAB) */
-            for (int i = 2; i + 1 < ad_struct_len; i += 2) {
-                if (disc->data[offset + i] == 0xF2 && disc->data[offset + i + 1] == 0xAB) {
-                    return 1;
-                }
+
+        /* Search if LE PHY UUID is advertised */
+        if (disc->data[offset] == 0x03 && disc->data[offset + 1] == 0x03) {
+            if ( disc->data[offset + 2] == 0xAB && disc->data[offset + 3] == 0xF2 ) {
+                return 1;
+
             }
         }
         offset += ad_struct_len + 1;
diff --git a/examples/bluetooth/nimble/ble_proximity_sensor/proximity_sensor_cent/main/main.c b/examples/bluetooth/nimble/ble_proximity_sensor/proximity_sensor_cent/main/main.c
index 52369ad198..d746282fc6 100644
--- a/examples/bluetooth/nimble/ble_proximity_sensor/proximity_sensor_cent/main/main.c
+++ b/examples/bluetooth/nimble/ble_proximity_sensor/proximity_sensor_cent/main/main.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -269,15 +269,9 @@ ext_ble_prox_cent_should_connect(const struct ble_gap_ext_disc_desc *disc)
         }
 
         /* Search if Proximity Sensor (Link loss) UUID is advertised */
-        if (disc->data[offset + 1] == 0x03) {
-            int uuid_offset = offset + 2;
-            int uuid_end = offset + 1 + disc->data[offset];  // len includes type+data
-            while (uuid_offset + 1 < uuid_end) {
-                // BLE uses little-endian: 0x1803 is stored as 0x03 0x18
-                if (disc->data[uuid_offset] == 0x03 && disc->data[uuid_offset + 1] == 0x18) {
-                    return 1;
-                }
-                uuid_offset += 2;
+        if (disc->data[offset] == 0x03 && disc->data[offset + 1] == 0x03) {
+            if ( disc->data[offset + 2] == 0x18 && disc->data[offset + 3] == 0x03 ) {
+                return 1;
             }
         }