From c7cfcddc2cbff3702917849ee7ba68b89d00a0a0 Mon Sep 17 00:00:00 2001 From: "953308023@qq.com" <953308023@qq.com> Date: Fri, 17 Dec 2021 19:25:56 +0800 Subject: [PATCH 1/5] fix potential arrary overflow problem of _recvBuffer --- src/utility/HCI.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/utility/HCI.cpp b/src/utility/HCI.cpp index 233dd1a5..0b45293f 100644 --- a/src/utility/HCI.cpp +++ b/src/utility/HCI.cpp @@ -112,6 +112,15 @@ void HCIClass::poll(unsigned long timeout) while (HCITransport.available()) { byte b = HCITransport.read(); + + if (sizeof(_recvBuffer) <= _recvIndex) + { + _recvIndex = 0; + if (_debug) { + _debug->println("_recvBuffer overflow"); + } + continue; + } _recvBuffer[_recvIndex++] = b; From ecfe56af180298bb8a3f0749c3df888165956e6a Mon Sep 17 00:00:00 2001 From: BBear <13687227078@163.com> Date: Tue, 21 Dec 2021 17:50:09 +0800 Subject: [PATCH 2/5] Update src/utility/HCI.cpp make the code eaiser to read Co-authored-by: Alexander Entinger --- src/utility/HCI.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utility/HCI.cpp b/src/utility/HCI.cpp index 0b45293f..19bb80d4 100644 --- a/src/utility/HCI.cpp +++ b/src/utility/HCI.cpp @@ -113,7 +113,7 @@ void HCIClass::poll(unsigned long timeout) while (HCITransport.available()) { byte b = HCITransport.read(); - if (sizeof(_recvBuffer) <= _recvIndex) + if (_recvIndex >= sizeof(_recvBuffer)) { _recvIndex = 0; if (_debug) { From 4f4bdd365e8c04c8be2d261be5c328acf96d9641 Mon Sep 17 00:00:00 2001 From: BBear <13687227078@163.com> Date: Tue, 21 Dec 2021 17:59:40 +0800 Subject: [PATCH 3/5] optimize code of potential overflow _recvBuffer --- src/utility/HCI.cpp | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/src/utility/HCI.cpp b/src/utility/HCI.cpp index 19bb80d4..74bfe754 100644 --- a/src/utility/HCI.cpp +++ b/src/utility/HCI.cpp @@ -113,14 +113,9 @@ void HCIClass::poll(unsigned long timeout) while (HCITransport.available()) { byte b = HCITransport.read(); - if (_recvIndex >= sizeof(_recvBuffer)) - { - _recvIndex = 0; - if (_debug) { - _debug->println("_recvBuffer overflow"); - } - continue; - } + if (_recvIndex >= sizeof(_recvBuffer)) { + _recvIndex = 0; + } _recvBuffer[_recvIndex++] = b; From 89ab4793610bdb69239b98d12f3c5f029bdaf25a Mon Sep 17 00:00:00 2001 From: BBear <13687227078@163.com> Date: Wed, 22 Dec 2021 13:40:17 +0800 Subject: [PATCH 4/5] add the debug msg when the _recvBuffer overflow --- src/utility/HCI.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/utility/HCI.cpp b/src/utility/HCI.cpp index 74bfe754..f158d035 100644 --- a/src/utility/HCI.cpp +++ b/src/utility/HCI.cpp @@ -115,6 +115,9 @@ void HCIClass::poll(unsigned long timeout) if (_recvIndex >= sizeof(_recvBuffer)) { _recvIndex = 0; + if (_debug) { + _debug->println("_recvBuffer overflow"); + } } _recvBuffer[_recvIndex++] = b; From 71ed75d73d0ee8f6e1e1ad72429394171845619c Mon Sep 17 00:00:00 2001 From: "953308023@qq.com" <953308023@qq.com> Date: Thu, 20 Jan 2022 11:33:12 +0800 Subject: [PATCH 5/5] fix the potential overflow problem of leAdvertisingReport->eirData --- src/utility/HCI.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/utility/HCI.cpp b/src/utility/HCI.cpp index 0b45293f..c0411382 100644 --- a/src/utility/HCI.cpp +++ b/src/utility/HCI.cpp @@ -659,6 +659,10 @@ void HCIClass::handleEventPkt(uint8_t /*plen*/, uint8_t pdata[]) uint8_t eirData[31]; } *leAdvertisingReport = (EvtLeAdvertisingReport*)&pdata[sizeof(HCIEventHdr) + sizeof(LeMetaEventHeader)]; + if(leAdvertisingReport->eirLength > sizeof(leAdvertisingReport->eirData)){ + return ; + } + if (leAdvertisingReport->status == 0x01) { // last byte is RSSI int8_t rssi = leAdvertisingReport->eirData[leAdvertisingReport->eirLength];