From d8131086ac32fc716c91e2d8e018d1c73a20e414 Mon Sep 17 00:00:00 2001
From: Flavio Ceolin <flavio.ceolin@intel.com>
Date: Mon, 17 Jul 2023 11:38:03 -0700
Subject: [PATCH] bt: mesh: shell: Fix possible buffer overflow

Fix possible overflow in rpr_scan_report.

(cherry picked from commit ddd2bc94e2f4b51a3ac6f1f0e63e5665266c0f3f)

Original-Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
GitOrigin-RevId: ddd2bc94e2f4b51a3ac6f1f0e63e5665266c0f3f
Change-Id: I0f21a7ad6739c708e68ac208825e8183533ef898
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/4704780
Reviewed-by: Fabio Baltieri <fabiobaltieri@google.com>
Tested-by: Fabio Baltieri <fabiobaltieri@google.com>
Commit-Queue: Fabio Baltieri <fabiobaltieri@google.com>
Tested-by: ChromeOS Prod (Robot) <chromeos-ci-prod@chromeos-bot.iam.gserviceaccount.com>
---
 subsys/bluetooth/mesh/shell/rpr.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/subsys/bluetooth/mesh/shell/rpr.c b/subsys/bluetooth/mesh/shell/rpr.c
index df8979682ca..c8f05817104 100644
--- a/subsys/bluetooth/mesh/shell/rpr.c
+++ b/subsys/bluetooth/mesh/shell/rpr.c
@@ -38,9 +38,26 @@ static void rpr_scan_report(struct bt_mesh_rpr_cli *cli,
 		uint8_t len, type;
 		uint8_t data[31];
 
-		len = net_buf_simple_pull_u8(adv_data) - 1;
+		len = net_buf_simple_pull_u8(adv_data);
+		if (len == 0) {
+			/* No data in this AD Structure. */
+			continue;
+		}
+
+		if (len > adv_data->len) {
+			/* Malformed AD Structure. */
+			break;
+		}
+
 		type = net_buf_simple_pull_u8(adv_data);
-		memcpy(data, net_buf_simple_pull_mem(adv_data, len), len);
+		if ((--len) > 0) {
+			uint8_t dlen;
+
+			/* Pull all length, but print only what fits into `data` array. */
+			dlen = MIN(len, sizeof(data) - 1);
+			memcpy(data, net_buf_simple_pull_mem(adv_data, len), dlen);
+			len = dlen;
+		}
 		data[len] = '\0';
 
 		if (type == BT_DATA_URI) {