From ecf98ce012251866bb09f9c78663660844675fa1 Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Tue, 25 Feb 2020 10:47:24 +0100
Subject: [PATCH] ad_parser: avoid out-of-bounds read in
 ad_data_contains_uuid16/128 helpers

---
 src/ad_parser.c            | 10 ++++------
 test/fuzz/fuzz_ad_parser.c | 12 ++++++++++++
 2 files changed, 16 insertions(+), 6 deletions(-)
 create mode 100644 test/fuzz/fuzz_ad_parser.c

diff --git a/src/ad_parser.c b/src/ad_parser.c
index 4efc68845..1778bec79 100644
--- a/src/ad_parser.c
+++ b/src/ad_parser.c
@@ -109,7 +109,7 @@ bool ad_data_contains_uuid16(uint8_t ad_len, const uint8_t * ad_data, uint16_t u
         switch (data_type){
             case BLUETOOTH_DATA_TYPE_INCOMPLETE_LIST_OF_16_BIT_SERVICE_CLASS_UUIDS:
             case BLUETOOTH_DATA_TYPE_COMPLETE_LIST_OF_16_BIT_SERVICE_CLASS_UUIDS:
-                for (i=0; i<data_len; i+=2){
+                for (i=0; (i+2) <= data_len; i+=2){
                     uint16_t uuid = little_endian_read_16(data, i);
                     if ( uuid == uuid16 ) return true;
                 }
@@ -118,8 +118,7 @@ bool ad_data_contains_uuid16(uint8_t ad_len, const uint8_t * ad_data, uint16_t u
             case BLUETOOTH_DATA_TYPE_COMPLETE_LIST_OF_128_BIT_SERVICE_CLASS_UUIDS:
                 uuid_add_bluetooth_prefix(ad_uuid128, uuid16);
                 reverse_128(ad_uuid128, uuid128_bt);
-            
-                for (i=0; i<data_len; i+=16){
+                for (i=0; (i+16) <= data_len; i+=16){
                     if (memcmp(uuid128_bt, &data[i], 16) == 0) return true;
                 }
                 break;
@@ -145,11 +144,10 @@ bool ad_data_contains_uuid128(uint8_t ad_len, const uint8_t * ad_data, const uin
         int i;
         uint8_t ad_uuid128[16];
 
-
         switch (data_type){
             case BLUETOOTH_DATA_TYPE_INCOMPLETE_LIST_OF_16_BIT_SERVICE_CLASS_UUIDS:
             case BLUETOOTH_DATA_TYPE_COMPLETE_LIST_OF_16_BIT_SERVICE_CLASS_UUIDS:
-                for (i=0; i<data_len; i+=2){
+                for (i=0; (i+2) <= data_len; i+=2){
                     uint16_t uuid16 = little_endian_read_16(data, i);
                     uuid_add_bluetooth_prefix(ad_uuid128, uuid16);
                     
@@ -159,7 +157,7 @@ bool ad_data_contains_uuid128(uint8_t ad_len, const uint8_t * ad_data, const uin
                 break;
             case BLUETOOTH_DATA_TYPE_INCOMPLETE_LIST_OF_128_BIT_SERVICE_CLASS_UUIDS:
             case BLUETOOTH_DATA_TYPE_COMPLETE_LIST_OF_128_BIT_SERVICE_CLASS_UUIDS:
-                for (i=0; i<data_len; i+=16){
+                for (i=0; (i+16) <= data_len; i+=16){
                     if (memcmp(uuid128_le, &data[i], 16) == 0) return true;
                 }
                 break;
diff --git a/test/fuzz/fuzz_ad_parser.c b/test/fuzz/fuzz_ad_parser.c
new file mode 100644
index 000000000..51ac105c3
--- /dev/null
+++ b/test/fuzz/fuzz_ad_parser.c
@@ -0,0 +1,12 @@
+#include <stdint.h>
+#include <stddef.h>
+
+#include "ad_parser.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    // ad parser uses uint88_t length
+    if (size > 255) return 0;
+    // test ad iterator by calling simple function that uses it
+    ad_data_contains_uuid16(size, data, 0xffff);
+    return 0;
+}