From f155c0d06a351eb3b7c780d231a7c1c6116627ec Mon Sep 17 00:00:00 2001 From: Vinayak Kariappa Chettimada Date: Wed, 13 Jan 2021 07:46:42 +0530 Subject: [PATCH] Bluetooth: controller: Add invalid ACL data length check Add checks to detect ACL data lengths greater than the configured maximum Tx buffer size in the controller. The Host should conform to the LE_ACL_Data_Packet_Length returned by the LE Read Buffer Size command. Signed-off-by: Vinayak Kariappa Chettimada --- subsys/bluetooth/controller/hci/hci.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/subsys/bluetooth/controller/hci/hci.c b/subsys/bluetooth/controller/hci/hci.c index 82c778506897f..8e3735884665a 100644 --- a/subsys/bluetooth/controller/hci/hci.c +++ b/subsys/bluetooth/controller/hci/hci.c @@ -4075,6 +4075,11 @@ int hci_acl_handle(struct net_buf *buf, struct net_buf **evt) return -EINVAL; } + if (len > CONFIG_BT_CTLR_TX_BUFFER_SIZE) { + BT_ERR("Invalid HCI ACL Data length"); + return -EINVAL; + } + /* assigning flags first because handle will be overwritten */ flags = bt_acl_flags(handle); handle = bt_acl_handle(handle);