Cordio BLE: fix OOB read in event processing (CVE-2024-48984)

[Diff-fusion]

Summary of changes

hciEvtProcessLeExtAdvReport parses lists of hci reports. In doing so, it dynamically determines the length of the list by reading a byte from the input buffer.

mbed-os/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c

Line 1317 in 54e8693

i = *p;

The function then steps through the input buffer and reads the length of all the individual reports in order to find the largest one. It then allocates a buffer that is capable of holding the largest report.

mbed-os/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c

Lines 1331 to 1343 in 54e8693

	while (i-- > 0)
	{
	ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
	BSTREAM_TO_UINT8(dataLen, ptr);
	ptr += dataLen;
	/* if len greater than max len seen so far */
	if (dataLen > maxLen)
	{
	/* update max len */
	maxLen = dataLen;
	}
	}

However, no check is done to ensure that those other reports are actually held within the buffer.

This fix checks that all reports are fully contained within the buffer.

Impact of changes

Migration actions required

Documentation

None

---

Pull request type

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

---

Test results

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

---

[Diff-fusion]

This PR fixes CVE-2024-48984