Cordio BLE: Fix integer overflows (#388)

Diff-fusion · web-flow · commit 8576b0406ca3 · 2024-11-21T00:08:33.000-08:00
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c
@@ -53,6 +53,10 @@ typedef struct wsfMsg_tag
 /*************************************************************************************************/
 void *WsfMsgDataAlloc(uint16_t len, uint8_t tailroom)
 {
+  /* check for overflow */
+  if (len > UINT16_MAX - tailroom) {
+    return NULL;
+  }
   return WsfMsgAlloc(len + tailroom);
 }
 
@@ -69,6 +73,11 @@ void *WsfMsgAlloc(uint16_t len)
 {
   wsfMsg_t  *pMsg;
 
+  /* check for overflow */
+  if (len > UINT16_MAX - sizeof(wsfMsg_t)) {
+    return NULL;
+  }
+
   pMsg = WsfBufAlloc(len + sizeof(wsfMsg_t));
 
   /* hide header */
diff --git a/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c b/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c
@@ -204,6 +204,12 @@ void hciTrSerialRxIncoming(uint8_t *pBuf, uint8_t len)
         }
 
         /* allocate data buffer to hold entire packet */
+        /* check that the length doesn't overflow */
+        if (hdrLen > UINT16_MAX - dataLen)
+        {
+          stateRx = HCI_RX_STATE_IDLE;
+          return;
+        }
         if (pktIndRx == HCI_ACL_TYPE)
         {
           pPktRx = (uint8_t*)WsfMsgDataAlloc(hdrLen + dataLen, 0);

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,10 @@ typedef struct wsfMsg_tag`
`53`	`53`	`/*************************************************************************************************/`
`54`	`54`	`void *WsfMsgDataAlloc(uint16_t len, uint8_t tailroom)`
`55`	`55`	`{`
	`56`	`+ /* check for overflow */`
	`57`	`+ if (len > UINT16_MAX - tailroom) {`
	`58`	`+ return NULL;`
	`59`	`+ }`
`56`	`60`	`return WsfMsgAlloc(len + tailroom);`
`57`	`61`	`}`
`58`	`62`
`@@ -69,6 +73,11 @@ void *WsfMsgAlloc(uint16_t len)`
`69`	`73`	`{`
`70`	`74`	`wsfMsg_t *pMsg;`
`71`	`75`
	`76`	`+ /* check for overflow */`
	`77`	`+ if (len > UINT16_MAX - sizeof(wsfMsg_t)) {`
	`78`	`+ return NULL;`
	`79`	`+ }`
	`80`	`+`
`72`	`81`	`pMsg = WsfBufAlloc(len + sizeof(wsfMsg_t));`
`73`	`82`
`74`	`83`	`/* hide header */`
Original file line number	Diff line number	Diff line change
`@@ -204,6 +204,12 @@ void hciTrSerialRxIncoming(uint8_t *pBuf, uint8_t len)`
`204`	`204`	`}`
`205`	`205`
`206`	`206`	`/* allocate data buffer to hold entire packet */`
	`207`	`+ /* check that the length doesn't overflow */`
	`208`	`+ if (hdrLen > UINT16_MAX - dataLen)`
	`209`	`+ {`
	`210`	`+ stateRx = HCI_RX_STATE_IDLE;`
	`211`	`+ return;`
	`212`	`+ }`
`207`	`213`	`if (pktIndRx == HCI_ACL_TYPE)`
`208`	`214`	`{`
`209`	`215`	`pPktRx = (uint8_t*)WsfMsgDataAlloc(hdrLen + dataLen, 0);`