From 0c2414e8ab556a3fb31f0ec6354acdf0dce6f126 Mon Sep 17 00:00:00 2001 From: Felix Date: Mon, 18 Nov 2024 19:06:16 +0100 Subject: [PATCH] Cordio BLE: Fix two integer overflows --- .../cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c index fd708ea2ddd..98c2ae10969 100644 --- a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c +++ b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c @@ -2471,6 +2471,11 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len) uint8_t cbackEvt = 0; hciEvtCback_t cback = hciCb.evtCback; + if (len > 3) + { + return; + } + BSTREAM_TO_UINT8(numPkts, p); BSTREAM_TO_UINT16(opcode, p); @@ -2684,7 +2689,7 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len) if (cbackEvt == HCI_UNHANDLED_CMD_CMPL_CBACK_EVT) { const uint8_t structSize = sizeof(hciUnhandledCmdCmplEvt_t) - 1 /* removing the fake 1-byte array */; const uint8_t remainingLen = len - 3 /* we already read opcode and numPkts */; - const uint8_t msgSize = structSize + remainingLen; + const uint16_t msgSize = structSize + remainingLen; pMsg = WsfBufAlloc(msgSize); if (pMsg != NULL) {