os/net : Fix the reported security vulnerabilities related to Bluetooth#7187
Open
giwon-nam wants to merge 3 commits intoSamsung:masterfrom
Open
os/net : Fix the reported security vulnerabilities related to Bluetooth#7187giwon-nam wants to merge 3 commits intoSamsung:masterfrom
giwon-nam wants to merge 3 commits intoSamsung:masterfrom
Conversation
- In the `bledev_handle` function, `memcpy` is performed before checking the parameters of the received message. Since `memcpy` is executed for the length specified by `data_len`, if a value larger than the actual parameter is input as `data_len`, an overflow may occur. - Defended against overflow by using `_memcpy_safe` instead of simple `memcpy`, ensuring that copying is not performed if the input value exceeds the actual buffer size.
…neric Bluetooth stack - In the generic Bluetooth stack, when setting legacy advertising data, which can allocate up to 31 bytes, there is a possibility of underflow because the process of checking for cases where the data copy exceeds 31 bytes does not handle negative numbers. - Instead of simply checking if the remaining buffer size is zero, the code has been updated to also verify for negative values, thereby preventing underflow.
…he generic Bluetooth stack - The existing API was implemented to receive advertising data in an array format without size restrictions, allowing for simultaneous transmission of multiple advertisements. - Although the requirements at the time of the function's creation are unknown, to resolve the security vulnerability, it has been modified to assume support for only single advertising, starting advertising with only one raw data and one scan response.
hk-gwak
reviewed
Mar 12, 2026
| case LWNL_REQ_BLE_SEC_PARAM_SET: | ||
| { | ||
| trble_sec_param *sec_param = (trble_sec_param *)data; | ||
| trble_sec_param sec_param = { 0, }; |
Collaborator
There was a problem hiding this comment.
This line looks like not only security vulnerability fix, but also changing ble behavior. Is this OK?
Contributor
Author
There was a problem hiding this comment.
The BLE functionality was verified using the TizenLite test cases based on the final build output.
To elaborate further on the modifications, after saving the pointer to the trble_sec_param structure into a local pointer variable, memcpy is performed. However, since the destination and source are identical, this operation is meaningless. Therefore, it has been modified to align with the method of copying into lwnl_msg_params.
hk-gwak
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixed the following three security vulnerabilities related to Bluetooth.
bledev-lwnl-msg-params-overflow
Verification of existing BLE functionalities.
bt-adv-set_ad-len-underflow
bt-adv-unbounded-list
For
os/net/bluetooth, it is unknown whether multi advertising was previously supported. However, since it has been modified to support only single advertising, previously functioning features may malfunction.If the following configs are enabled, the modifications may have an impact.