Merge branch 'bugfix/fix_blufi_frag_pkt_vulnerability' into 'master'

Fixed vulnerability attacks that could cause heap overflow in fragmented Blufi packet processing Closes BT-3106 See merge request espressif/esp-idf!21819
2024-09-20 10:46:02 -04:00 · 2023-01-10 21:13:01 +08:00 · 2023-01-10 21:13:01 +08:00 · c176e5e0ec
commit c176e5e0ec
parent 7aabacbcfc 7c9d47b702
2 changed files with 23 additions and 0 deletions
--- a/components/bt/common/api/include/api/esp_blufi_api.h
+++ b/components/bt/common/api/include/api/esp_blufi_api.h
@ -78,6 +78,7 @@ typedef enum {
    ESP_BLUFI_DATA_FORMAT_ERROR,
    ESP_BLUFI_CALC_MD5_ERROR,
    ESP_BLUFI_WIFI_SCAN_FAIL,
+    ESP_BLUFI_MSG_STATE_ERROR,
 } esp_blufi_error_state_t;

 /**
--- a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c
+++ b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c
@ -136,6 +136,16 @@ void btc_blufi_recv_handler(uint8_t *data, int len)

    if (BLUFI_FC_IS_FRAG(hdr->fc)) {
        if (blufi_env.offset == 0) {
+            /*
+            blufi_env.aggr_buf should be NULL if blufi_env.offset is 0.
+            It is possible that the process of sending fragment packet
+            has not been completed
+            */
+            if (blufi_env.aggr_buf) {
+                BTC_TRACE_ERROR("%s msg error, blufi_env.aggr_buf is not freed\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_MSG_STATE_ERROR);
+                return;
+            }
            blufi_env.total_len = hdr->data[0] | (((uint16_t) hdr->data[1]) << 8);
            blufi_env.aggr_buf = osi_malloc(blufi_env.total_len);
            if (blufi_env.aggr_buf == NULL) {
@ -155,6 +165,18 @@ void btc_blufi_recv_handler(uint8_t *data, int len)

    } else {
        if (blufi_env.offset > 0) {   /* if previous pkt is frag */
+            /* blufi_env.aggr_buf should not be NULL */
+            if (blufi_env.aggr_buf == NULL) {
+                BTC_TRACE_ERROR("%s buffer is NULL\n", __func__);
+                btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR);
+                return;
+            }
+            /* payload length should be equal to total_len */
+            if ((blufi_env.offset + hdr->data_len) != blufi_env.total_len) {
+                BTC_TRACE_ERROR("%s payload is longer than packet length, len %d \n", __func__, blufi_env.total_len);
+                btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+                return;
+            }
            memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data, hdr->data_len);

            btc_blufi_protocol_handler(hdr->type, blufi_env.aggr_buf, blufi_env.total_len);