bluetooth: add PIN_CODE_LEN, check len in gap_pin_code_response_binary, fixes #542

2025-02-20 18:40:31 +00:00 · 2023-11-10 11:29:34 +01:00 · 2023-11-10 11:29:34 +01:00 · c26f2c7ba7
commit c26f2c7ba7
parent 730e827efa
3 changed files with 9 additions and 3 deletions
--- a/platform/daemon/src/daemon.c
+++ b/platform/daemon/src/daemon.c
@ -249,7 +249,7 @@ static const char * btstack_server_storage_path;

 // GAP command buffer
 #ifdef ENABLE_CLASSIC
-static uint8_t daemon_gap_pin_code[16];
+static uint8_t daemon_gap_pin_code[PIN_CODE_LEN];
 #endif

 // TLV
@ -1153,7 +1153,7 @@ static int btstack_command_handler(connection_t *connection, uint8_t *packet, ui
            break;
        case GAP_PIN_CODE_RESPONSE:
            reverse_bd_addr(&packet[3], addr);
-            memcpy(daemon_gap_pin_code, &packet[10], 16);
+            memcpy(daemon_gap_pin_code, &packet[10], PIN_CODE_LEN);
            gap_pin_code_response_binary(addr, daemon_gap_pin_code, packet[9]);
            break;
        case GAP_PIN_CODE_NEGATIVE:
--- a/src/bluetooth.h
+++ b/src/bluetooth.h
@ -79,6 +79,11 @@ typedef uint8_t bd_addr_t[BD_ADDR_LEN];
    BD_ADDR_TYPE_UNKNOWN   = 0xfe,  // also used as 'invalid'
 } bd_addr_type_t;

+ /**
+  * Pin Codde
+  */
+#define PIN_CODE_LEN 16
+
 /**
 * Link types for BR/EDR Connections
 */
--- a/src/hci.c
+++ b/src/hci.c
@ -5796,7 +5796,7 @@ static bool hci_run_general_gap_classic(void){
    // pairing
    if (hci_stack->gap_pairing_state != GAP_PAIRING_STATE_IDLE){
        uint8_t state = hci_stack->gap_pairing_state;
-        uint8_t pin_code[16];
+        uint8_t pin_code[PIN_CODE_LEN];
        switch (state){
            case GAP_PAIRING_STATE_SEND_PIN:
                hci_stack->gap_pairing_state = GAP_PAIRING_STATE_IDLE;
@ -9142,6 +9142,7 @@ static int gap_pairing_set_state_and_run(const bd_addr_t addr, uint8_t state){
 */
 int gap_pin_code_response_binary(const bd_addr_t addr, const uint8_t * pin_data, uint8_t pin_len){
    if (hci_stack->gap_pairing_state != GAP_PAIRING_STATE_IDLE) return ERROR_CODE_COMMAND_DISALLOWED;
+    if (pin_len > PIN_CODE_LEN) return ERROR_CODE_INVALID_HCI_COMMAND_PARAMETERS;
    hci_stack->gap_pairing_input.gap_pairing_pin = pin_data;
    hci_stack->gap_pairing_pin_len = pin_len;
    return gap_pairing_set_state_and_run(addr, GAP_PAIRING_STATE_SEND_PIN);