bartoszek/zephyr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mgmt/mcumgr: Fix possible buffer overflow in BT tranport

Browse Source 
The commit add checks whether frame received from BT transport
will really fit into allocated net_buf form mcumgr.

Fixes: #44271

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This commit is contained in:
Dominik Ermel 2022-03-28 12:32:50 +00:00 committed by Carles Cufí
parent 199048b2ed
commit 30fcf494be
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
subsys/mgmt/mcumgr/smp_bt.c
View File

@ -231,8 +231,17 @@ static ssize_t smp_bt_chr_write(struct bt_conn *conn,
nb = mcumgr_buf_alloc();
if (!nb) {
LOG_DBG("failed net_buf alloc for SMP packet");
return BT_GATT_ERR(BT_ATT_ERR_INSUFFICIENT_RESOURCES);
}
if (net_buf_tailroom(nb) < len) {
LOG_DBG("SMP packet len (%zu) > net_buf len (%zu)",
len, net_buf_tailroom(nb));
mcumgr_buf_free(nb);
return BT_GATT_ERR(BT_ATT_ERR_INSUFFICIENT_RESOURCES);
}
net_buf_add_mem(nb, buf, len);
ud = net_buf_user_data(nb);