espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-30 18:57:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(ble/blufi): Fixed blufi example security issue

Browse Source 
(cherry picked from commit 3cb2d9c3c6)

Co-authored-by: zhanghaipeng <zhanghaipeng@espressif.com>
This commit is contained in:
Zhang Hai Peng
2025-01-06 11:13:41 +08:00
parent 2f62363cc6
commit a9b840a92c
1 changed files with 23 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
components/bt/common/btc/profile/esp/blufi/blufi_prf.c
View File

@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state)
void btc_blufi_recv_handler(uint8_t *data, int len) void btc_blufi_recv_handler(uint8_t *data, int len)
{ {
if (len < sizeof(struct blufi_hdr)) {
BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len);
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
return;
}
struct blufi_hdr *hdr = (struct blufi_hdr *)data; struct blufi_hdr *hdr = (struct blufi_hdr *)data;
// Verify if the received data length matches the expected length based on the BLUFI protocol
int target_data_len;
if (BLUFI_FC_IS_CHECK(hdr->fc)) {
target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum
} else {
target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length)
}
if (len != target_data_len) {
BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len);
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
return;
}
uint16_t checksum, checksum_pkt; uint16_t checksum, checksum_pkt;
int ret; int ret;