Skip to content

os/net : Fix the reported security vulnerabilities related to Bluetooth #7187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
giwon-nam wants to merge 3 commits into
base: master
Choose a base branch
from
Open

os/net : Fix the reported security vulnerabilities related to Bluetooth #7187

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
92ab4f0
os/net/blemgr : Fix the overflow security vulnerability in `bledev`
giwon-nam Mar 11, 2026
25bf4ae
os/net/bluetooth : Fix the underflow security vulnerability in the ge…
giwon-nam Mar 11, 2026
5d081ce
os/net/bluetooth : Fix the unbounded list security vulnerability in t…
giwon-nam Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 43 additions & 38 deletions os/net/blemgr/bledev.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,15 @@ int trble_scan_data_enque(trble_scanned_device *info)
return 0;
}

static int _memcpy_safe(void *dest, size_t dest_size, const void *src, size_t src_size)
{
if (src_size > dest_size) {
return -1;
}
memcpy(dest, src, src_size);
return 0;
}

int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_len)
{
trble_result_e ret = TRBLE_FAIL;
Expand All @@ -83,7 +92,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -122,17 +131,13 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
break;
case LWNL_REQ_BLE_SEC_PARAM_SET:
{
trble_sec_param *sec_param = (trble_sec_param *)data;
trble_sec_param sec_param = { 0, };
Copy link
Collaborator

@hk-gwak hk-gwak Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line looks like not only security vulnerability fix, but also changing ble behavior. Is this OK?

Copy link
Contributor Author

@giwon-nam giwon-nam Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BLE functionality was verified using the TizenLite test cases based on the final build output.
To elaborate further on the modifications, after saving the pointer to the trble_sec_param structure into a local pointer variable, memcpy is performed. However, since the destination and source are identical, this operation is meaningless. Therefore, it has been modified to align with the method of copying into lwnl_msg_params.

if (data != NULL) {
memcpy(sec_param, data, data_len);
_memcpy_safe(&sec_param, sizeof(trble_sec_param), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
if (sec_param != NULL) {
TRBLE_DRV_CALL(ret, dev, set_sec_param, (dev, sec_param));
} else {
ret = TRBLE_INVALID_ARGS;
}
TRBLE_DRV_CALL(ret, dev, set_sec_param, (dev, &sec_param));
}
break;
case LWNL_REQ_BLE_PASSKEY_CONFIRM:
Expand All @@ -141,7 +146,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
uint8_t *confirm = 0;
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -168,7 +173,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -203,7 +208,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -245,7 +250,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -333,7 +338,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -388,7 +393,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -405,7 +410,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -422,7 +427,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -439,7 +444,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -480,7 +485,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -499,7 +504,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -517,7 +522,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -535,7 +540,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -552,7 +557,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -569,7 +574,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -585,7 +590,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
trble_conn_param *conn_param;
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -614,7 +619,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -631,7 +636,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -702,7 +707,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -738,7 +743,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
lwnl_msg_params param = { 0, };
if (data != NULL)
{
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -786,7 +791,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le

lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -814,7 +819,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -828,7 +833,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down Expand Up @@ -875,7 +880,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -888,7 +893,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -903,7 +908,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
uint16_t value;
if (data != NULL) {
memcpy(&value, data, data_len);
_memcpy_safe(&value, sizeof(uint16_t), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -914,7 +919,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -928,7 +933,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -942,7 +947,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
uint16_t cid;
if (data != NULL) {
memcpy(&cid, data, data_len);
_memcpy_safe(&cid, sizeof(uint16_t), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand All @@ -954,7 +959,7 @@ int bledev_handle(struct bledev *dev, lwnl_req cmd, void *data, uint32_t data_le
{
lwnl_msg_params param = { 0, };
if (data != NULL) {
memcpy(&param, data, data_len);
_memcpy_safe(&param, sizeof(lwnl_msg_params), data, data_len);
} else {
return TRBLE_INVALID_ARGS;
}
Expand Down
2 changes: 1 addition & 1 deletion os/net/bluetooth/bluetooth.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ static int set_ad(unsigned short hci_op, const struct bt_ad *ad, size_t ad_len)
/* Check if ad fit in the remaining buffer */
if (set_data->len + len + 2 > 31) {
len = 31 - (set_data->len + 2);
if (type != BT_DATA_NAME_COMPLETE || !len) {
if (type != BT_DATA_NAME_COMPLETE || len <= 0) {
bt_buf_release(buf);
ndbg("Too big advertising data");
return -EINVAL;
Expand Down
30 changes: 12 additions & 18 deletions os/net/bluetooth/bt_hcicore.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1698,16 +1698,13 @@ int bt_start_advertising(uint8_t type, FAR const struct bt_eir_s *ad, FAR const
set_data = bt_buf_extend(buf, sizeof(*set_data));

memset(set_data, 0, sizeof(*set_data));
struct bt_eir_s adv_data = { 0, };
memcpy(&adv_data, ad, sizeof(struct bt_eir_s));

for (i = 0; ad[i].len > 0; i++) {
/* Check if ad fit in the remaining buffer */

if (set_data->len + ad[i].len + 1 > 29) {
break;
}

memcpy(&set_data->data[set_data->len], &ad[i], ad[i].len + 1);
set_data->len += ad[i].len + 1;
/* Check if ad fit in the remaining buffer */
if (adv_data.len > 0 && set_data->len + adv_data.len + 1 <= 29) {
memcpy(&set_data->data[set_data->len], &adv_data, adv_data.len + 1);
set_data->len += adv_data.len + 1;
}

bt_hci_cmd_send(BT_HCI_OP_LE_SET_ADV_DATA, buf);
Expand All @@ -1726,16 +1723,13 @@ int bt_start_advertising(uint8_t type, FAR const struct bt_eir_s *ad, FAR const
scan_rsp = bt_buf_extend(buf, sizeof(*scan_rsp));

memset(scan_rsp, 0, sizeof(*scan_rsp));
struct bt_eir_s resp_data = { 0, };
memcpy(&resp_data, sd, sizeof(struct bt_eir_s));

for (i = 0; sd[i].len > 0; i++) {
/* Check if ad fit in the remaining buffer */

if (scan_rsp->len + sd[i].len + 1 > 29) {
break;
}

memcpy(&scan_rsp->data[scan_rsp->len], &sd[i], sd[i].len + 1);
scan_rsp->len += sd[i].len + 1;
/* Check if ad fit in the remaining buffer */
if (resp_data.len > 0 && scan_rsp->len + resp_data.len + 1 <= 29) {
memcpy(&scan_rsp->data[scan_rsp->len], &resp_data, resp_data.len + 1);
scan_rsp->len += resp_data.len + 1;
}

bt_hci_cmd_send(BT_HCI_OP_LE_SET_SCAN_RSP_DATA, buf);
Expand Down