From 5aa6fa39ea25d7bafe72c4429c94fcb282a79696 Mon Sep 17 00:00:00 2001
From: wangjialiang <wangjialiang@espressif.com>
Date: Thu, 14 Apr 2022 15:50:54 +0800
Subject: [PATCH] ble_mesh: stack: Bugfix for oversized SegN as valid

---
 components/bt/esp_ble_mesh/mesh_core/prov.c             | 7 +++++++
 components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/components/bt/esp_ble_mesh/mesh_core/prov.c b/components/bt/esp_ble_mesh/mesh_core/prov.c
index dcc7a0daf0..9e001e0a8b 100644
--- a/components/bt/esp_ble_mesh/mesh_core/prov.c
+++ b/components/bt/esp_ble_mesh/mesh_core/prov.c
@@ -74,6 +74,7 @@
 
 #define START_PAYLOAD_MAX      20
 #define CONT_PAYLOAD_MAX       23
+#define START_LAST_SEG_MAX     2
 
 #define START_LAST_SEG(gpc)    (gpc >> 2)
 #define CONT_SEG_INDEX(gpc)    (gpc >> 2)
@@ -1563,6 +1564,12 @@ static void gen_prov_start(struct prov_rx *rx, struct net_buf_simple *buf)
         return;
     }
 
+    if (START_LAST_SEG(rx->gpc) > START_LAST_SEG_MAX) {
+        BT_ERR("Invalid SegN 0x%02x", START_LAST_SEG(rx->gpc));
+        prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
+        return;
+    }
+
     if (link.rx.buf->len > link.rx.buf->size) {
         BT_ERR("Too large provisioning PDU (%u bytes)",
                 link.rx.buf->len);
diff --git a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
index be549ee40e..62f6dea538 100644
--- a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
+++ b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c
@@ -82,6 +82,7 @@ _Static_assert(BLE_MESH_MAX_CONN >= CONFIG_BLE_MESH_PBG_SAME_TIME,
 
 #define START_PAYLOAD_MAX      20
 #define CONT_PAYLOAD_MAX       23
+#define START_LAST_SEG_MAX     2
 
 #define START_LAST_SEG(gpc)    (gpc >> 2)
 #define CONT_SEG_INDEX(gpc)    (gpc >> 2)
@@ -2988,6 +2989,12 @@ static void gen_prov_start(const uint8_t idx, struct prov_rx *rx, struct net_buf
         return;
     }
 
+    if (START_LAST_SEG(rx->gpc) > START_LAST_SEG_MAX) {
+        BT_ERR("Invalid SegN 0x%02x", START_LAST_SEG(rx->gpc));
+        close_link(idx, CLOSE_REASON_FAILED);
+        return;
+    }
+
     if (link[idx].rx.buf->len > link[idx].rx.buf->size) {
         BT_ERR("Too large provisioning PDU (%u bytes)",
                 link[idx].rx.buf->len);