From c26f2c7ba71221a2122afaf0cfbfa38f1ce5c589 Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Fri, 10 Nov 2023 11:29:34 +0100
Subject: [PATCH] bluetooth: add PIN_CODE_LEN, check len in
 gap_pin_code_response_binary, fixes #542

---
 platform/daemon/src/daemon.c | 4 ++--
 src/bluetooth.h              | 5 +++++
 src/hci.c                    | 3 ++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/platform/daemon/src/daemon.c b/platform/daemon/src/daemon.c
index bfd6a26fb..85e9484e9 100644
--- a/platform/daemon/src/daemon.c
+++ b/platform/daemon/src/daemon.c
@@ -249,7 +249,7 @@ static const char * btstack_server_storage_path;
 
 // GAP command buffer
 #ifdef ENABLE_CLASSIC
-static uint8_t daemon_gap_pin_code[16];
+static uint8_t daemon_gap_pin_code[PIN_CODE_LEN];
 #endif
 
 // TLV
@@ -1153,7 +1153,7 @@ static int btstack_command_handler(connection_t *connection, uint8_t *packet, ui
             break;
         case GAP_PIN_CODE_RESPONSE:
             reverse_bd_addr(&packet[3], addr);
-            memcpy(daemon_gap_pin_code, &packet[10], 16);
+            memcpy(daemon_gap_pin_code, &packet[10], PIN_CODE_LEN);
             gap_pin_code_response_binary(addr, daemon_gap_pin_code, packet[9]);
             break;
         case GAP_PIN_CODE_NEGATIVE:
diff --git a/src/bluetooth.h b/src/bluetooth.h
index 2062754b9..2b4f8a1f4 100644
--- a/src/bluetooth.h
+++ b/src/bluetooth.h
@@ -79,6 +79,11 @@ typedef uint8_t bd_addr_t[BD_ADDR_LEN];
     BD_ADDR_TYPE_UNKNOWN   = 0xfe,  // also used as 'invalid'
 } bd_addr_type_t;
 
+ /**
+  * Pin Codde
+  */
+#define PIN_CODE_LEN 16
+
 /**
  * Link types for BR/EDR Connections
  */
diff --git a/src/hci.c b/src/hci.c
index c4edf2764..91cdb44a1 100644
--- a/src/hci.c
+++ b/src/hci.c
@@ -5796,7 +5796,7 @@ static bool hci_run_general_gap_classic(void){
     // pairing
     if (hci_stack->gap_pairing_state != GAP_PAIRING_STATE_IDLE){
         uint8_t state = hci_stack->gap_pairing_state;
-        uint8_t pin_code[16];
+        uint8_t pin_code[PIN_CODE_LEN];
         switch (state){
             case GAP_PAIRING_STATE_SEND_PIN:
                 hci_stack->gap_pairing_state = GAP_PAIRING_STATE_IDLE;
@@ -9142,6 +9142,7 @@ static int gap_pairing_set_state_and_run(const bd_addr_t addr, uint8_t state){
  */
 int gap_pin_code_response_binary(const bd_addr_t addr, const uint8_t * pin_data, uint8_t pin_len){
     if (hci_stack->gap_pairing_state != GAP_PAIRING_STATE_IDLE) return ERROR_CODE_COMMAND_DISALLOWED;
+    if (pin_len > PIN_CODE_LEN) return ERROR_CODE_INVALID_HCI_COMMAND_PARAMETERS;
     hci_stack->gap_pairing_input.gap_pairing_pin = pin_data;
     hci_stack->gap_pairing_pin_len = pin_len;
     return gap_pairing_set_state_and_run(addr, GAP_PAIRING_STATE_SEND_PIN);