pioduino/esp-idf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ble/bluedroid): Fix heap buffer overflow in BTC_GAP_BLE_SET_PA_SUBEVT_DATA deep copy

Browse Source
This commit is contained in:
zhanghaipeng
2025-12-10 20:36:18 +08:00
committed by zhiweijian
parent 267368bbcc
commit 9825b32ce2
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c
+4 -6
View File
@@ -2182,14 +2182,12 @@ void btc_gap_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
uint16_t params_len = src->per_adv_subevent_data_params.num_subevents_with_data * sizeof(esp_ble_subevent_params);
dst->per_adv_subevent_data_params.subevent_params = osi_malloc(params_len);
if (dst->per_adv_subevent_data_params.subevent_params) {
for (uint8_t i = 0; i < src->per_adv_subevent_data_params.num_subevents_with_data; i++)
{
memcpy(&dst->per_adv_subevent_data_params.subevent_params[i], &src->per_adv_subevent_data_params.subevent_params[i], params_len);
// dst->per_adv_subevent_data_params.subevent_params[i].subevent = src->per_adv_subevent_data_params.subevent_params[i].subevent;
// dst->per_adv_subevent_data_params.subevent_params[i].response_slot_start = src->per_adv_subevent_data_params.subevent_params[i].response_slot_start;
// dst->per_adv_subevent_data_params.subevent_params[i].response_slot_count = src->per_adv_subevent_data_params.subevent_params[i].response_slot_count;
// dst->per_adv_subevent_data_params.subevent_params[i].subevent_data_len = src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len;
/* Fix: Use sizeof(esp_ble_subevent_params) instead of params_len to prevent buffer overflow */
memcpy(&dst->per_adv_subevent_data_params.subevent_params[i],
&src->per_adv_subevent_data_params.subevent_params[i],
sizeof(esp_ble_subevent_params));
dst->per_adv_subevent_data_params.subevent_params[i].subevent_data = osi_malloc(src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len);
if (dst->per_adv_subevent_data_params.subevent_params[i].subevent_data) {
memcpy(dst->per_adv_subevent_data_params.subevent_params[i].subevent_data, src->per_adv_subevent_data_params.subevent_params[i].subevent_data, src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len);