hci_transport_h4, hci_transport_em9304_spi.c: add checks for Event + SCO packet lengths

2025-01-10 10:21:48 +00:00 · 2018-07-23 14:19:33 +02:00 · 2018-07-23 14:19:33 +02:00 · e8b8106866
commit e8b8106866
parent fc6cde64da
2 changed files with 20 additions and 2 deletions
--- a/src/hci_transport_em9304_spi.c
+++ b/src/hci_transport_em9304_spi.c
@ -437,6 +437,12 @@ static void hci_transport_em9304_spi_block_read(void){
            
        case H4_W4_EVENT_HEADER:
            hci_transport_em9304_spi_bytes_to_read = hci_packet[2];
+            // check ACL length
+            if (HCI_EVENT_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read >  HCI_INCOMING_PACKET_BUFFER_SIZE){
+                log_error("invalid Event len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE);
+                hci_transport_em9304_spi_reset_statemachine();
+                break;
+            }
            hci_transport_em9304_h4_state = H4_W4_PAYLOAD;
            break;
            
@ -446,7 +452,7 @@ static void hci_transport_em9304_spi_block_read(void){
            if (HCI_ACL_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read >  HCI_INCOMING_PACKET_BUFFER_SIZE){
                log_error("invalid ACL payload len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
                hci_transport_em9304_spi_reset_statemachine();
-                break;              
+                break;
            }
            hci_transport_em9304_h4_state = H4_W4_PAYLOAD;
            break;
--- a/src/hci_transport_h4.c
+++ b/src/hci_transport_h4.c
@ -211,6 +211,12 @@ static void hci_transport_h4_block_read(void){
            
        case H4_W4_EVENT_HEADER:
            bytes_to_read = hci_packet[2];
+            // check Event length
+            if (HCI_EVENT_HEADER_SIZE + bytes_to_read >  HCI_INCOMING_PACKET_BUFFER_SIZE){
+                log_error("hci_transport_h4: invalid Event len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE);
+                hci_transport_h4_reset_statemachine();
+                break;
+            }
            h4_state = H4_W4_PAYLOAD;
            break;
            
@ -220,13 +226,19 @@ static void hci_transport_h4_block_read(void){
            if (HCI_ACL_HEADER_SIZE + bytes_to_read >  HCI_INCOMING_PACKET_BUFFER_SIZE){
                log_error("hci_transport_h4: invalid ACL payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
                hci_transport_h4_reset_statemachine();
-                break;              
+                break;
            }
            h4_state = H4_W4_PAYLOAD;
            break;
            
        case H4_W4_SCO_HEADER:
            bytes_to_read = hci_packet[3];
+            // check SCO length
+            if (HCI_SCO_HEADER_SIZE + bytes_to_read >  HCI_INCOMING_PACKET_BUFFER_SIZE){
+                log_error("hci_transport_h4: invalid SCO payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE);
+                hci_transport_h4_reset_statemachine();
+                break;
+            }
            h4_state = H4_W4_PAYLOAD;
            break;