From 3a7dd3c0de992650016e16c2fdb20459d0970aa4 Mon Sep 17 00:00:00 2001
From: zhiweijian <zhiweijian@espressif.com>
Date: Wed, 28 Dec 2022 14:59:38 +0800
Subject: [PATCH] Fixed vulnerability attacks that could cause heap overflow in
 fragmented Blufi packet processing

---
 .../bluedroid/api/include/api/esp_blufi_api.h |  3 +++
 .../btc/profile/esp/blufi/blufi_prf.c         | 22 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h b/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h
index 0d4b8662f0..10da4bbf20 100644
--- a/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h
+++ b/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h
@@ -84,6 +84,9 @@ typedef enum {
     ESP_BLUFI_READ_PARAM_ERROR,
     ESP_BLUFI_MAKE_PUBLIC_ERROR,
     ESP_BLUFI_DATA_FORMAT_ERROR,
+    ESP_BLUFI_CALC_MD5_ERROR,
+    ESP_BLUFI_WIFI_SCAN_FAIL,
+    ESP_BLUFI_MSG_STATE_ERROR,
 } esp_blufi_error_state_t;
 
 /**
diff --git a/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c b/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c
index f2b78ba822..695dd17e28 100644
--- a/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c
+++ b/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c
@@ -436,6 +436,16 @@ static void btc_blufi_recv_handler(uint8_t *data, int len)
 
     if (BLUFI_FC_IS_FRAG(hdr->fc)) {
         if (blufi_env.offset == 0) {
+            /*
+            blufi_env.aggr_buf should be NULL if blufi_env.offset is 0.
+            It is possible that the process of sending fragment packet
+            has not been completed
+            */
+            if (blufi_env.aggr_buf) {
+                BTC_TRACE_ERROR("%s msg error, blufi_env.aggr_buf is not freed\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_MSG_STATE_ERROR);
+                return;
+            }
             blufi_env.total_len = hdr->data[0] | (((uint16_t) hdr->data[1]) << 8);
             blufi_env.aggr_buf = osi_malloc(blufi_env.total_len);
             if (blufi_env.aggr_buf == NULL) {
@@ -455,6 +465,18 @@ static void btc_blufi_recv_handler(uint8_t *data, int len)
 
     } else {
         if (blufi_env.offset > 0) {   /* if previous pkt is frag */
+            /* blufi_env.aggr_buf should not be NULL */
+            if (blufi_env.aggr_buf == NULL) {
+                BTC_TRACE_ERROR("%s buffer is NULL\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR);
+                return;
+            }
+            /* payload length should be equal to total_len */
+            if ((blufi_env.offset + hdr->data_len) != blufi_env.total_len) {
+                BTC_TRACE_ERROR("%s payload is longer than packet length, len %d \n", __func__, blufi_env.total_len);
+                btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+                return;
+            }
             memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data, hdr->data_len);
 
             btc_blufi_protocol_handler(hdr->type, blufi_env.aggr_buf, blufi_env.total_len);