Skip to content

Commit

Permalink
Cordio BLE: Fix two integer overflows (CVE-2024-48982) (#386)
Browse files Browse the repository at this point in the history
* Cordio BLE: Fix two integer overflows

* Cordio BLE: Fix sign in length check
  • Loading branch information
Diff-fusion authored Nov 21, 2024
1 parent 92df629 commit 8974db5
Showing 1 changed file with 6 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -2482,6 +2482,11 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
uint8_t cbackEvt = 0;
hciEvtCback_t cback = hciCb.evtCback;

if (len < 3)
{
return;
}

BSTREAM_TO_UINT8(numPkts, p);
BSTREAM_TO_UINT16(opcode, p);

Expand Down Expand Up @@ -2695,7 +2700,7 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
if (cbackEvt == HCI_UNHANDLED_CMD_CMPL_CBACK_EVT) {
const uint8_t structSize = sizeof(hciUnhandledCmdCmplEvt_t) - 1 /* removing the fake 1-byte array */;
const uint8_t remainingLen = len - 3 /* we already read opcode and numPkts */;
const uint8_t msgSize = structSize + remainingLen;
const uint16_t msgSize = structSize + remainingLen;

pMsg = WsfBufAlloc(msgSize);
if (pMsg != NULL) {
Expand Down

0 comments on commit 8974db5

Please sign in to comment.