Cordio BLE: Fix two integer overflows (CVE-2024-48982) (#386)

Diff-fusion · web-flow · commit 8974db5f9a9a · 2024-11-21T08:54:37.000-08:00
* Cordio BLE: Fix two integer overflows

* Cordio BLE: Fix sign in length check
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
@@ -2482,6 +2482,11 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
   uint8_t       cbackEvt = 0;
   hciEvtCback_t cback = hciCb.evtCback;
 
+  if (len < 3)
+  {
+    return;
+  }
+
   BSTREAM_TO_UINT8(numPkts, p);
   BSTREAM_TO_UINT16(opcode, p);
 
@@ -2695,7 +2700,7 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
     if (cbackEvt == HCI_UNHANDLED_CMD_CMPL_CBACK_EVT) {
       const uint8_t structSize = sizeof(hciUnhandledCmdCmplEvt_t) - 1 /* removing the fake 1-byte array */;
       const uint8_t remainingLen = len - 3 /* we already read opcode and numPkts */;
-      const uint8_t msgSize = structSize + remainingLen;
+      const uint16_t msgSize = structSize + remainingLen;
 
       pMsg = WsfBufAlloc(msgSize);
       if (pMsg != NULL) {
