Bluetooth: controller: Check length field of adv and scan response data

joerchan · nashif · commit abe47b704d48 · 2021-08-30T09:01:05.000-04:00
Check the length field of the advertising and scan response data.

Signed-off-by: Joakim Andersson &lt;joakim.andersson@nordicsemi.no&gt;
diff --git a/subsys/bluetooth/controller/ll_sw/ll_adv.c b/subsys/bluetooth/controller/ll_sw/ll_adv.c
@@ -296,6 +296,10 @@ u8_t ll_adv_data_set(u8_t len, u8_t const *const data)
 	struct pdu_adv *pdu;
 	u8_t last;
 
+	if (len > PDU_AC_SIZE_MAX) {
+		return BT_HCI_ERR_INVALID_PARAM;
+	}
+
 	/* Dont update data if directed or extended advertising. */
 	radio_adv_data = radio_adv_data_get();
 	prev = (struct pdu_adv *)&radio_adv_data->data[radio_adv_data->last][0];
@@ -352,6 +356,10 @@ u8_t ll_adv_scan_rsp_set(u8_t len, u8_t const *const data)
 	struct pdu_adv *pdu;
 	u8_t last;
 
+	if (len > PDU_AC_SIZE_MAX) {
+		return BT_HCI_ERR_INVALID_PARAM;
+	}
+
 	/* use the last index in double buffer, */
 	radio_scan_data = radio_scan_data_get();
 	if (radio_scan_data->first == radio_scan_data->last) {
diff --git a/subsys/bluetooth/controller/ll_sw/ull_adv.c b/subsys/bluetooth/controller/ll_sw/ull_adv.c
@@ -331,6 +331,10 @@ u8_t ll_adv_data_set(u8_t len, u8_t const *const data)
 	struct pdu_adv *pdu;
 	u8_t idx;
 
+	if (len > PDU_AC_SIZE_MAX) {
+		return BT_HCI_ERR_INVALID_PARAM;
+	}
+
 	adv = ull_adv_set_get(handle);
 	if (!adv) {
 		return BT_HCI_ERR_CMD_DISALLOWED;
@@ -382,6 +386,10 @@ u8_t ll_adv_scan_rsp_set(u8_t len, u8_t const *const data)
 	struct pdu_adv *pdu;
 	u8_t idx;
 
+	if (len > PDU_AC_SIZE_MAX) {
+		return BT_HCI_ERR_INVALID_PARAM;
+	}
+
 	adv = ull_adv_set_get(handle);
 	if (!adv) {
 		return BT_HCI_ERR_CMD_DISALLOWED;
