This is an automated email from the ASF dual-hosted git repository.
lupyuen pushed a commit to branch releases/12.9
in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit d0b6e39036832f9f3dfbce63160529ef999f7e10
Author: Chongqing Lei <le...@seu.edu.cn>
AuthorDate: Thu Apr 10 20:21:40 2025 +0200
wireless/bt_hcicore: Fix H4 header and data buffer length verification.
Driver now validates data and H4 header length against CONFIG_IOB_BUFSIZE.
Signed-off-by: Tomasz 'CeDeROM' CEDRO <to...@cedro.info>
---
wireless/bluetooth/bt_hcicore.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/wireless/bluetooth/bt_hcicore.c b/wireless/bluetooth/bt_hcicore.c
index a993073d82..98b02e61d3 100644
--- a/wireless/bluetooth/bt_hcicore.c
+++ b/wireless/bluetooth/bt_hcicore.c
@@ -1802,6 +1802,12 @@ int bt_receive(FAR struct bt_driver_s *btdev, enum
bt_buf_type_e type,
struct bt_buf_s *buf;
int ret;
+ if (len + BLUETOOTH_H4_HDRLEN > CONFIG_IOB_BUFSIZE)
+ {
+ wlerr("ERROR: Data too long\n");
+ return -EINVAL;
+ }
+
wlinfo("data %p len %zu\n", data, len);
/* Critical command complete/status events use the high priority work
