[nrf fromtree] bluetooth: mesh: proxy_msg: check that att mtu is big enough

PavelVPV · m-alperen-sener · commit fc18aaa2d2e5 · 2025-02-20T09:37:26.000+01:00
This commit checks that ATT MTU value returned by `bt_gatt_get_mtu` is greater or equal to 3 to prevent integer overflow. Fixes #84693 Coverity-CID: 487743 Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no> (cherry picked from commit 038173a)
diff --git a/subsys/bluetooth/mesh/proxy_msg.c b/subsys/bluetooth/mesh/proxy_msg.c
@@ -176,14 +176,20 @@ int bt_mesh_proxy_msg_send(struct bt_conn *conn, uint8_t type,
 			   bt_gatt_complete_func_t end, void *user_data)
 {
 	int err;
+	uint16_t att_mtu = bt_gatt_get_mtu(conn);
 	uint16_t mtu;
 	struct bt_mesh_proxy_role *role = &roles[bt_conn_index(conn)];
 
 	LOG_DBG("conn %p type 0x%02x len %u: %s", (void *)conn, type, msg->len,
 		bt_hex(msg->data, msg->len));
 
 	/* ATT_MTU - OpCode (1 byte) - Handle (2 bytes) */
-	mtu = bt_gatt_get_mtu(conn) - 3;
+	if (att_mtu < 3) {
+		LOG_WRN("Invalid ATT MTU: %d", att_mtu);
+		return -EINVAL;
+	}
+
+	mtu = att_mtu - 3;
 	if (mtu > msg->len) {
 		net_buf_simple_push_u8(msg, PDU_HDR(SAR_COMPLETE, type));
 		return role->cb.send(conn, msg->data, msg->len, end, user_data);
