bt: mesh: shell: Fix possible buffer overflow

Fix possible overflow in rpr_scan_report. Signed-off-by: Flavio Ceolin <[email protected]>
zephyrproject-rtos · Jul 20, 2023 · ddd2bc9 · ddd2bc9
1 parent e55af04
commit ddd2bc9
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/subsys/bluetooth/mesh/shell/rpr.c b/subsys/bluetooth/mesh/shell/rpr.c
@@ -38,9 +38,26 @@ static void rpr_scan_report(struct bt_mesh_rpr_cli *cli,
 		uint8_t len, type;
 		uint8_t data[31];
 
-		len = net_buf_simple_pull_u8(adv_data) - 1;
+		len = net_buf_simple_pull_u8(adv_data);
+		if (len == 0) {
+			/* No data in this AD Structure. */
+			continue;
+		}
+
+		if (len > adv_data->len) {
+			/* Malformed AD Structure. */
+			break;
+		}
+
 		type = net_buf_simple_pull_u8(adv_data);
-		memcpy(data, net_buf_simple_pull_mem(adv_data, len), len);
+		if ((--len) > 0) {
+			uint8_t dlen;
+
+			/* Pull all length, but print only what fits into `data` array. */
+			dlen = MIN(len, sizeof(data) - 1);
+			memcpy(data, net_buf_simple_pull_mem(adv_data, len), dlen);
+			len = dlen;
+		}
 		data[len] = '\0';
 
 		if (type == BT_DATA_URI) {