From b4650fcc16963bce40fca330f62643d39b48947c Mon Sep 17 00:00:00 2001
From: wangjialiang <wangjialiang@espressif.com>
Date: Thu, 4 Mar 2021 16:06:24 +0800
Subject: [PATCH] ble_mesh: stack: Fix invalid provisioning pdu type check

For case MESH/NODE/PROV/BI-15-C
---
 components/bt/esp_ble_mesh/mesh_core/prov.c | 31 +++++++++++++--------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/components/bt/esp_ble_mesh/mesh_core/prov.c b/components/bt/esp_ble_mesh/mesh_core/prov.c
index 4e9813f7c6..cb3ddae2e2 100644
--- a/components/bt/esp_ble_mesh/mesh_core/prov.c
+++ b/components/bt/esp_ble_mesh/mesh_core/prov.c
@@ -1450,18 +1450,22 @@ static void prov_msg_recv(void)
         return;
     }
 
-    if (type != PROV_FAILED && type != link.expect) {
-        BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
-        prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
-        return;
-    }
-
+    /* For case MESH/NODE/PROV/BI-15-C, when the node receive a Provisioning PDU
+     * with the Type field set to the lowest unsupported or RFU value, it sends a
+     * Provisioning Failed PDU with the Error Code field set to Invalid PDU(0x01).
+     */
     if (type >= ARRAY_SIZE(prov_handlers)) {
         BT_ERR("Unknown provisioning PDU type 0x%02x", type);
         prov_send_fail_msg(PROV_ERR_NVAL_PDU);
         return;
     }
 
+    if (type != PROV_FAILED && type != link.expect) {
+        BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
+        prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
+        return;
+    }
+
     if (1 + prov_handlers[type].len != link.rx.buf->len) {
         BT_ERR("Invalid length %u for type 0x%02x",
                 link.rx.buf->len, type);
@@ -1666,15 +1670,20 @@ int bt_mesh_pb_gatt_recv(struct bt_mesh_conn *conn, struct net_buf_simple *buf)
         return -EINVAL;
     }
 
+    /* For case MESH/NODE/PROV/BI-15-C, when the node receive a Provisioning PDU
+     * with the Type field set to the lowest unsupported or RFU value, it sends a
+     * Provisioning Failed PDU with the Error Code field set to Invalid PDU(0x01).
+     */
     type = net_buf_simple_pull_u8(buf);
-    if (type != PROV_FAILED && type != link.expect) {
-        BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
-        prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
+    if (type >= ARRAY_SIZE(prov_handlers)) {
+        BT_ERR("Unknown provisioning PDU type 0x%02x", type);
+        prov_send_fail_msg(PROV_ERR_NVAL_PDU);
         return -EINVAL;
     }
 
-    if (type >= ARRAY_SIZE(prov_handlers)) {
-        BT_ERR("Unknown provisioning PDU type 0x%02x", type);
+    if (type != PROV_FAILED && type != link.expect) {
+        BT_WARN("Unexpected msg 0x%02x != 0x%02x", type, link.expect);
+        prov_send_fail_msg(PROV_ERR_UNEXP_PDU);
         return -EINVAL;
     }