bt: mesh: shell: Fix possible buffer overflow

Fix possible overflow in rpr_scan_report. (cherry picked from commit ddd2bc9) Original-Signed-off-by: Flavio Ceolin <[email protected]> GitOrigin-RevId: ddd2bc9 Change-Id: I0f21a7ad6739c708e68ac208825e8183533ef898 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/4704780 Reviewed-by: Fabio Baltieri <[email protected]> Tested-by: Fabio Baltieri <[email protected]> Commit-Queue: Fabio Baltieri <[email protected]> Tested-by: ChromeOS Prod (Robot) <[email protected]>
coreboot · Jul 20, 2023 · d813108 · d813108
1 parent 784ba3a
commit d813108
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/subsys/bluetooth/mesh/shell/rpr.c b/subsys/bluetooth/mesh/shell/rpr.c
@@ -38,9 +38,26 @@ static void rpr_scan_report(struct bt_mesh_rpr_cli *cli,
 		uint8_t len, type;
 		uint8_t data[31];
 
-		len = net_buf_simple_pull_u8(adv_data) - 1;
+		len = net_buf_simple_pull_u8(adv_data);
+		if (len == 0) {
+			/* No data in this AD Structure. */
+			continue;
+		}
+
+		if (len > adv_data->len) {
+			/* Malformed AD Structure. */
+			break;
+		}
+
 		type = net_buf_simple_pull_u8(adv_data);
-		memcpy(data, net_buf_simple_pull_mem(adv_data, len), len);
+		if ((--len) > 0) {
+			uint8_t dlen;
+
+			/* Pull all length, but print only what fits into `data` array. */
+			dlen = MIN(len, sizeof(data) - 1);
+			memcpy(data, net_buf_simple_pull_mem(adv_data, len), dlen);
+			len = dlen;
+		}
 		data[len] = '\0';
 
 		if (type == BT_DATA_URI) {