This is an automated email from the ASF dual-hosted git repository.
lupyuen pushed a commit to branch releases/12.9
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit 02cb99378f5df261d9f08526601641831b1acd5e
Author: Chongqing Lei <le...@seu.edu.cn>
AuthorDate: Thu Apr 10 20:12:36 2025 +0200
wireless/bt_uart: Fix ACL data buffer length verification.
Driver now validates ACL provided buffer length agaist the size of
the data buffer which is defined by CONFIG_BLUETOOTH_UART_RXBUFSIZE.
Signed-off-by: Tomasz 'CeDeROM' CEDRO <to...@cedro.info>
---
drivers/wireless/bluetooth/bt_uart.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/wireless/bluetooth/bt_uart.c
b/drivers/wireless/bluetooth/bt_uart.c
index 276fa62d8e..0c6fdb08fe 100644
--- a/drivers/wireless/bluetooth/bt_uart.c
+++ b/drivers/wireless/bluetooth/bt_uart.c
@@ -162,6 +162,14 @@ static void btuart_rxwork(FAR void *arg)
else if (data[0] == H4_ACL)
{
pktlen = hdr->acl.len;
+
+ if (pktlen + H4_HEADER_SIZE + hdrlen >
+ CONFIG_BLUETOOTH_UART_RXBUFSIZE)
+ {
+ wlwarn("WARNING: H4 packet is too long\n");
+ break;
+ }
+
type = BT_ACL_IN;
}
else
