From 9825b32ce2a14ce62e06af9d6ac3377a3ca1ef1c Mon Sep 17 00:00:00 2001
From: zhanghaipeng <zhanghaipeng@espressif.com>
Date: Wed, 10 Dec 2025 20:36:18 +0800
Subject: [PATCH] fix(ble/bluedroid): Fix heap buffer overflow in
 BTC_GAP_BLE_SET_PA_SUBEVT_DATA deep copy

---
 .../host/bluedroid/btc/profile/std/gap/btc_gap_ble.c   | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c
index a69547083c..92a6ec9ff2 100644
--- a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c
+++ b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c
@@ -2182,14 +2182,12 @@ void btc_gap_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src)
             uint16_t params_len = src->per_adv_subevent_data_params.num_subevents_with_data * sizeof(esp_ble_subevent_params);
             dst->per_adv_subevent_data_params.subevent_params = osi_malloc(params_len);
             if (dst->per_adv_subevent_data_params.subevent_params) {
-
                 for (uint8_t i = 0; i < src->per_adv_subevent_data_params.num_subevents_with_data; i++)
                 {
-                    memcpy(&dst->per_adv_subevent_data_params.subevent_params[i], &src->per_adv_subevent_data_params.subevent_params[i], params_len);
-                    // dst->per_adv_subevent_data_params.subevent_params[i].subevent = src->per_adv_subevent_data_params.subevent_params[i].subevent;
-                    // dst->per_adv_subevent_data_params.subevent_params[i].response_slot_start = src->per_adv_subevent_data_params.subevent_params[i].response_slot_start;
-                    // dst->per_adv_subevent_data_params.subevent_params[i].response_slot_count = src->per_adv_subevent_data_params.subevent_params[i].response_slot_count;
-                    // dst->per_adv_subevent_data_params.subevent_params[i].subevent_data_len = src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len;
+                    /* Fix: Use sizeof(esp_ble_subevent_params) instead of params_len to prevent buffer overflow */
+                    memcpy(&dst->per_adv_subevent_data_params.subevent_params[i],
+                           &src->per_adv_subevent_data_params.subevent_params[i],
+                           sizeof(esp_ble_subevent_params));
                     dst->per_adv_subevent_data_params.subevent_params[i].subevent_data = osi_malloc(src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len);
                     if (dst->per_adv_subevent_data_params.subevent_params[i].subevent_data) {
                         memcpy(dst->per_adv_subevent_data_params.subevent_params[i].subevent_data, src->per_adv_subevent_data_params.subevent_params[i].subevent_data, src->per_adv_subevent_data_params.subevent_params[i].subevent_data_len);