From a9b840a92c5393bf3f68645877bbe8e1edceae89 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Mon, 6 Jan 2025 11:13:41 +0800 Subject: [PATCH] fix(ble/blufi): Fixed blufi example security issue (cherry picked from commit 3cb2d9c3c639216afb17f12f3fca4675b0bde30c) Co-authored-by: zhanghaipeng --- .../common/btc/profile/esp/blufi/blufi_prf.c | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c index 2c7be2127f..81bb030829 100644 --- a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c +++ b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state) void btc_blufi_recv_handler(uint8_t *data, int len) { + if (len < sizeof(struct blufi_hdr)) { + BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + struct blufi_hdr *hdr = (struct blufi_hdr *)data; + + // Verify if the received data length matches the expected length based on the BLUFI protocol + int target_data_len; + + if (BLUFI_FC_IS_CHECK(hdr->fc)) { + target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum + } else { + target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length) + } + + if (len != target_data_len) { + BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + uint16_t checksum, checksum_pkt; int ret;