bluetooth: mesh: cfg_cli: Check buf len when pulling out data

PavelVPV · kartben · commit e2a0fafe423a · 2024-11-28T12:50:58.000+01:00
This commit checks that config client doesn't pull out data outside of the buffer. Fixes #80012 Signed-off-by: Pavel Vasilyev <pavel.vasilyev@nordicsemi.no>
diff --git a/subsys/bluetooth/mesh/cfg_cli.c b/subsys/bluetooth/mesh/cfg_cli.c
@@ -2332,6 +2332,10 @@ struct bt_mesh_comp_p1_elem *bt_mesh_comp_p1_elem_pull(struct net_buf_simple *bu
 	elem->nsig = net_buf_simple_pull_u8(buf);
 	elem->nvnd = net_buf_simple_pull_u8(buf);
 	for (i = 0; i < elem->nsig + elem->nvnd; i++) {
+		if (buf->len < elem_size + 1) {
+			return NULL;
+		}
+
 		header = buf->data[elem_size];
 		cor_present = COR_PRESENT(header);
 		fmt = FMT(header);
@@ -2346,6 +2350,10 @@ struct bt_mesh_comp_p1_elem *bt_mesh_comp_p1_elem_pull(struct net_buf_simple *bu
 		elem_size += (1 + cor_present) + (fmt + 1) * ext_item_cnt;
 	}
 
+	if (buf->len < elem_size) {
+		return NULL;
+	}
+
 	net_buf_simple_init_with_data(elem->_buf,
 				      net_buf_simple_pull_mem(buf, elem_size),
 				      elem_size);
@@ -2372,9 +2380,17 @@ struct bt_mesh_comp_p1_model_item *bt_mesh_comp_p1_item_pull(
 	item->ext_item_cnt = EXT_ITEM_CNT(header);
 	item_size = item->ext_item_cnt * (item->format + 1);
 	if (item->cor_present) {
+		if (elem->_buf->len < 1) {
+			return NULL;
+		}
+
 		item->cor_id = net_buf_simple_pull_u8(elem->_buf);
 	}
 
+	if (elem->_buf->len < item_size) {
+		return NULL;
+	}
+
 	net_buf_simple_init_with_data(item->_buf,
 				      net_buf_simple_pull_mem(elem->_buf, item_size),
 				      item_size);
