From 49830ac2207ef5e0cb7b5fa452bc8f919b875c89 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Fri, 15 Aug 2025 14:53:34 +0800 Subject: [PATCH 1/3] fix(ble/bluedroid): Fixed potential out-of-bounds memory access when resolve adv data (cherry picked from commit 12df54e8d16486fcba8263b8f2b9b8d3a8992703) Co-authored-by: zhanghaipeng --- components/bt/host/bluedroid/stack/btm/btm_ble_gap.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c index 310345c876..22d309c182 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c @@ -2071,6 +2071,13 @@ UINT8 *BTM_CheckAdvData( UINT8 *p_adv, UINT16 adv_data_len, UINT8 type, UINT8 *p STREAM_TO_UINT8(adv_type, p); if ( adv_type == type ) { + + if((p + length - 1) > (p_adv + adv_data_len)) { + /* avoid memory overflow*/ + *p_length = 0; + return NULL; + } + /* length doesn't include itself */ *p_length = length - 1; /* minus the length of type */ return p; From 6f4c3126a1498f3f33e05e014f91d4b588c36851 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Fri, 15 Aug 2025 14:53:36 +0800 Subject: [PATCH 2/3] fix(ble/bluedroid): Fixed the problem of macro definition error (cherry picked from commit 6b212c7d47dcb896b6780ca64a5fd02a2ce224b4) Co-authored-by: BLKDASH <128231495+BLKDASH@users.noreply.github.com> --- examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c index 3e8b8a513d..64c220b465 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c +++ b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c @@ -203,7 +203,7 @@ void example_exec_write_event_env(prepare_type_env_t *prepare_write_env, esp_ble static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *param) { switch (event) { -#ifdef CONFIG_SET_RAW_ADV_DATA +#ifdef CONFIG_EXAMPLE_SET_RAW_ADV_DATA case ESP_GAP_BLE_ADV_DATA_RAW_SET_COMPLETE_EVT: adv_config_done &= (~adv_config_flag); if (adv_config_done==0){ From f76024c7e7b2f3d7b65b04c1d4b305af3425c567 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Fri, 15 Aug 2025 14:53:39 +0800 Subject: [PATCH 3/3] fix(ble/bluedroid): Update Gatt_Server_Service_Table_Example_Walkthrough.md (cherry picked from commit 6b360dacf68e1dd95bb2670fb41e48c4545c4040) Co-authored-by: Cody --- .../tutorial/Gatt_Server_Service_Table_Example_Walkthrough.md | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/bluetooth/bluedroid/ble/gatt_server_service_table/tutorial/Gatt_Server_Service_Table_Example_Walkthrough.md b/examples/bluetooth/bluedroid/ble/gatt_server_service_table/tutorial/Gatt_Server_Service_Table_Example_Walkthrough.md index f248c2975f..f30867e350 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_server_service_table/tutorial/Gatt_Server_Service_Table_Example_Walkthrough.md +++ b/examples/bluetooth/bluedroid/ble/gatt_server_service_table/tutorial/Gatt_Server_Service_Table_Example_Walkthrough.md @@ -26,7 +26,6 @@ Let’s start by taking a look at the included headers in the [gatts_table_creat #include "esp_gatts_api.h" #include "esp_bt_defs.h" #include "esp_bt_main.h" -#include "esp_bt_main.h" #include “gatts_table_creat_demo.h" ``` These includes are required for the *FreeRTOS* and underlaying system components to run, including logging functionality and a library to store data in non-volatile flash memory. We are interested in ``bt.h``, ``esp_bt_main.h``, ``esp_gap_ble_api.h`` and ``esp_gatts_api.h`` which expose the BLE APIs required to implement this example.