Commit bda93ee
Bluetooth: MGMT: validate mesh send advertising payload length
mesh_send() currently bounds MGMT_OP_MESH_SEND by total command
length, but it never verifies that the bytes supplied for the
flexible adv_data[] array actually match the embedded adv_data_len
field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a
truncated command can still pass the existing 20..50 byte range
check and later drive the async mesh send path past the end of the
queued command buffer.
Keep rejecting zero-length and oversized advertising payloads, but
validate adv_data_len explicitly and require the command length to
exactly match the flexible array size before queueing the request.
Fixes: b338d91 ("Bluetooth: Implement support for Mesh")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>1 parent b255531 commit bda93ee
1 file changed
Lines changed: 11 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2478 | 2478 | | |
2479 | 2479 | | |
2480 | 2480 | | |
| 2481 | + | |
2481 | 2482 | | |
2482 | 2483 | | |
2483 | 2484 | | |
2484 | 2485 | | |
2485 | 2486 | | |
2486 | 2487 | | |
2487 | 2488 | | |
2488 | | - | |
2489 | | - | |
2490 | | - | |
| 2489 | + | |
| 2490 | + | |
| 2491 | + | |
| 2492 | + | |
| 2493 | + | |
2491 | 2494 | | |
2492 | 2495 | | |
2493 | 2496 | | |
| 2497 | + | |
| 2498 | + | |
| 2499 | + | |
| 2500 | + | |
| 2501 | + | |
2494 | 2502 | | |
2495 | 2503 | | |
2496 | 2504 | | |
| |||
0 commit comments