Merge branch 'bugfix/fix_blufi_frag_pkt_vulnerability_4.2' into 'release/v4.2'

Fixed vulnerability attacks that could cause heap overflow in fragmented Blufi packet processing (back port v4.2) See merge request espressif/esp-idf!23063
2024-10-05 20:47:46 -04:00 · 2023-04-06 10:57:19 +08:00 · 2023-04-06 10:57:19 +08:00 · 25e130a833
commit 25e130a833
parent 9dfbf27857 3a7dd3c0de
2 changed files with 25 additions and 0 deletions
--- a/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h
+++ b/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h
@ -84,6 +84,9 @@ typedef enum {
    ESP_BLUFI_READ_PARAM_ERROR,
    ESP_BLUFI_MAKE_PUBLIC_ERROR,
    ESP_BLUFI_DATA_FORMAT_ERROR,
+    ESP_BLUFI_CALC_MD5_ERROR,
+    ESP_BLUFI_WIFI_SCAN_FAIL,
+    ESP_BLUFI_MSG_STATE_ERROR,
 } esp_blufi_error_state_t;

 /**
--- a/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c
+++ b/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c
@ -436,6 +436,16 @@ static void btc_blufi_recv_handler(uint8_t *data, int len)

    if (BLUFI_FC_IS_FRAG(hdr->fc)) {
        if (blufi_env.offset == 0) {
+            /*
+            blufi_env.aggr_buf should be NULL if blufi_env.offset is 0.
+            It is possible that the process of sending fragment packet
+            has not been completed
+            */
+            if (blufi_env.aggr_buf) {
+                BTC_TRACE_ERROR("%s msg error, blufi_env.aggr_buf is not freed\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_MSG_STATE_ERROR);
+                return;
+            }
            blufi_env.total_len = hdr->data[0] | (((uint16_t) hdr->data[1]) << 8);
            blufi_env.aggr_buf = osi_malloc(blufi_env.total_len);
            if (blufi_env.aggr_buf == NULL) {
@ -455,6 +465,18 @@ static void btc_blufi_recv_handler(uint8_t *data, int len)

    } else {
        if (blufi_env.offset > 0) {   /* if previous pkt is frag */
+            /* blufi_env.aggr_buf should not be NULL */
+            if (blufi_env.aggr_buf == NULL) {
+                BTC_TRACE_ERROR("%s buffer is NULL\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR);
+                return;
+            }
+            /* payload length should be equal to total_len */
+            if ((blufi_env.offset + hdr->data_len) != blufi_env.total_len) {
+                BTC_TRACE_ERROR("%s payload is longer than packet length, len %d \n", __func__, blufi_env.total_len);
+                btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+                return;
+            }
            memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data, hdr->data_len);

            btc_blufi_protocol_handler(hdr->type, blufi_env.aggr_buf, blufi_env.total_len);