From bec18c3f462ef79e02690d846180ea388c84844c Mon Sep 17 00:00:00 2001 From: Pavel Vasilyev Date: Wed, 27 Aug 2025 14:12:00 +0200 Subject: [PATCH] bluetooth: mesh: pb_adv: check TotalLength against adv buf length Check that the buffer length of the received advertising data is less than reported TotalLength in Transaction Start PDU. Signed-off-by: Pavel Vasilyev (cherry picked from commit fe5b266ddbc90644f96900b814995016767658b6) --- subsys/bluetooth/mesh/pb_adv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/bluetooth/mesh/pb_adv.c b/subsys/bluetooth/mesh/pb_adv.c index 86f20497704f3..bccd162a68342 100644 --- a/subsys/bluetooth/mesh/pb_adv.c +++ b/subsys/bluetooth/mesh/pb_adv.c @@ -620,6 +620,13 @@ static void gen_prov_start(struct prov_rx *rx, struct net_buf_simple *buf) return; } + if (link.rx.buf->len < buf->len) { + LOG_ERR("Invalid declared provisionig PDU length (%u > %u)", buf->len, + link.rx.buf->len); + prov_failed(PROV_ERR_NVAL_FMT); + return; + } + if (START_LAST_SEG(rx->gpc) > 0 && link.rx.buf->len <= 20U) { LOG_ERR("Too small total length for multi-segment PDU"); prov_failed(PROV_ERR_NVAL_FMT);