Skip to content

Commit f002629

Browse files
committed
bluetooth: userchan: Guard reads from beyond frame size
Even though through code-inspection there isn't a clear path where the guard wouldn't act upon the length reaching the limit, this check is moved up to unconditially validate it on every read. Fixes zephyrproject-rtos#84731. Signed-off-by: Luis Ubieda <[email protected]>
1 parent 9c9c080 commit f002629

File tree

1 file changed

+7
-8
lines changed

1 file changed

+7
-8
lines changed

drivers/bluetooth/hci/userchan.c

Lines changed: 7 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,12 @@ static void rx_thread(void *p1, void *p2, void *p3)
189189
continue;
190190
}
191191

192+
if (frame_size >= sizeof(frame)) {
193+
LOG_ERR("HCI Packet is too big for frame (%d "
194+
"bytes). Dropping data", sizeof(frame));
195+
frame_size = 0; /* Drop buffer */
196+
}
197+
192198
LOG_DBG("calling read()");
193199

194200
len = nsi_host_read(uc->fd, frame + frame_size, sizeof(frame) - frame_size);
@@ -218,14 +224,7 @@ static void rx_thread(void *p1, void *p2, void *p3)
218224
}
219225

220226
if (decoded_len == 0) {
221-
if (frame_size == sizeof(frame)) {
222-
LOG_ERR("HCI Packet (%d bytes) is too big for frame (%d "
223-
"bytes)",
224-
decoded_len, sizeof(frame));
225-
frame_size = 0; /* Drop buffer */
226-
break;
227-
}
228-
if (frame_start != frame) {
227+
if ((frame_start != frame) && (frame_size < sizeof(frame))) {
229228
memmove(frame, frame_start, frame_size);
230229
}
231230
/* Read more */

0 commit comments

Comments
 (0)