Skip to content

Bluetooth: Host: Check returned value by LE_READ_BUFFER_SIZE #54905

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 17, 2023
Merged

Bluetooth: Host: Check returned value by LE_READ_BUFFER_SIZE #54905

merged 1 commit into from
Feb 17, 2023

Conversation

theob-pro
Copy link
Contributor

@theob-pro theob-pro commented Feb 16, 2023
edited
Loading

rp->le_max_num was passed unchecked into k_sem_init(), this could lead to the value being uninitialized and an unknown behavior.

To fix that issue, the rp->le_max_num value is checked the same way as bt_dev.le.acl_mtu was already checked. The same things has been done for rp->acl_max_num and rp->iso_max_num in read_buffer_size_v2_complete() function.

@theob-pro theob-pro changed the title Bluetooth: Host: Fix security issue from invalid init in hci_core.c Bluetooth: Host: Check returned value by LE_READ_BUFFER_SIZE Feb 16, 2023
@theob-pro theob-pro force-pushed the fix-invalid-init-of-le-read-buffer-size-complete branch 7 times, most recently from 446b331 to 13b314c Compare February 17, 2023 09:49
jhedberg
jhedberg requested changes Feb 17, 2023
View reviewed changes
@stephanosio stephanosio added this to the v3.3.0 milestone Feb 17, 2023
@theob-pro theob-pro force-pushed the fix-invalid-init-of-le-read-buffer-size-complete branch from 13b314c to a42cbea Compare February 17, 2023 10:58
Thalley
Thalley requested changes Feb 17, 2023
View reviewed changes
@theob-pro theob-pro force-pushed the fix-invalid-init-of-le-read-buffer-size-complete branch 2 times, most recently from 775a393 to 6f42f9c Compare February 17, 2023 13:13
jhedberg
jhedberg previously approved these changes Feb 17, 2023
View reviewed changes
@theob-pro
Bluetooth: Host: Check returned value by LE_READ_BUFFER_SIZE
e8b9db7 
`rp->le_max_num` was passed unchecked into `k_sem_init()`, this could
lead to the value being uninitialized and an unknown behavior.

To fix that issue, the `rp->le_max_num` value is checked the same way as
`bt_dev.le.acl_mtu` was already checked. The same things has been done
for `rp->acl_max_num` and `rp->iso_max_num` in
`read_buffer_size_v2_complete()` function.

Signed-off-by: Théo Battrel <[email protected]>
@theob-pro theob-pro force-pushed the fix-invalid-init-of-le-read-buffer-size-complete branch from 6f42f9c to e8b9db7 Compare February 17, 2023 13:14
@stephanosio stephanosio requested a review from jhedberg February 17, 2023 13:39
@stephanosio stephanosio merged commit ac3dec5 into zephyrproject-rtos:main Feb 17, 2023
This was referenced Feb 21, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhedberg jhedberg jhedberg approved these changes

@Thalley Thalley Thalley approved these changes

@alwa-nordic alwa-nordic Awaiting requested review from alwa-nordic

@Vudentz Vudentz Awaiting requested review from Vudentz

@sjanc sjanc Awaiting requested review from sjanc

@asbjornsabo asbjornsabo Awaiting requested review from asbjornsabo

@hermabe hermabe Awaiting requested review from hermabe

+1 more reviewer

@jori-nordic jori-nordic jori-nordic approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@jhedberg jhedberg

Labels
area: Bluetooth
Projects
None yet
Milestone
v3.3.0
Development

Successfully merging this pull request may close these issues.
6 participants
@theob-pro @jhedberg @Thalley @jori-nordic @stephanosio @zephyrbot