Skip to content

Commit 4b4bc91

Browse files
Isl2017Isl2017
committed
Merge branch 'bugfix/fix_blufi_crash_v5.3' into 'release/v5.3'
fix(blufi): Fixed crash issue during memcpy in example (v5.3) See merge request espressif/esp-idf!36551
2 parents 0c8da9f + 12b7a9e commit 4b4bc91

File tree

2 files changed

+40
-1
lines changed

2 files changed

+40
-1
lines changed

examples/bluetooth/blufi/main/blufi_example_main.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -382,26 +382,46 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
382382
BLUFI_INFO("Recv STA BSSID %s\n", sta_config.sta.ssid);
383383
break;
384384
case ESP_BLUFI_EVENT_RECV_STA_SSID:
385+
if (param->sta_ssid.ssid_len >= sizeof(sta_config.sta.ssid)/sizeof(sta_config.sta.ssid[0])) {
386+
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
387+
BLUFI_INFO("Invalid STA SSID\n");
388+
break;
389+
}
385390
strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
386391
sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
387392
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
388393
BLUFI_INFO("Recv STA SSID %s\n", sta_config.sta.ssid);
389394
break;
390395
case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
396+
if (param->sta_passwd.passwd_len >= sizeof(sta_config.sta.password)/sizeof(sta_config.sta.password[0])) {
397+
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
398+
BLUFI_INFO("Invalid STA PASSWORD\n");
399+
break;
400+
}
391401
strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
392402
sta_config.sta.password[param->sta_passwd.passwd_len] = '\0';
393403
sta_config.sta.threshold.authmode = EXAMPLE_WIFI_SCAN_AUTH_MODE_THRESHOLD;
394404
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
395405
BLUFI_INFO("Recv STA PASSWORD %s\n", sta_config.sta.password);
396406
break;
397407
case ESP_BLUFI_EVENT_RECV_SOFTAP_SSID:
408+
if (param->softap_ssid.ssid_len >= sizeof(ap_config.ap.ssid)/sizeof(ap_config.ap.ssid[0])) {
409+
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
410+
BLUFI_INFO("Invalid SOFTAP SSID\n");
411+
break;
412+
}
398413
strncpy((char *)ap_config.ap.ssid, (char *)param->softap_ssid.ssid, param->softap_ssid.ssid_len);
399414
ap_config.ap.ssid[param->softap_ssid.ssid_len] = '\0';
400415
ap_config.ap.ssid_len = param->softap_ssid.ssid_len;
401416
esp_wifi_set_config(WIFI_IF_AP, &ap_config);
402417
BLUFI_INFO("Recv SOFTAP SSID %s, ssid len %d\n", ap_config.ap.ssid, ap_config.ap.ssid_len);
403418
break;
404419
case ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD:
420+
if (param->softap_passwd.passwd_len >= sizeof(ap_config.sta.ssid)/sizeof(ap_config.sta.ssid[0])) {
421+
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
422+
BLUFI_INFO("Invalid SOFTAP PASSWD\n");
423+
break;
424+
}
405425
strncpy((char *)ap_config.ap.password, (char *)param->softap_passwd.passwd, param->softap_passwd.passwd_len);
406426
ap_config.ap.password[param->softap_passwd.passwd_len] = '\0';
407427
esp_wifi_set_config(WIFI_IF_AP, &ap_config);

examples/bluetooth/blufi/main/blufi_security.c

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
2+
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
33
*
44
* SPDX-License-Identifier: Unlicense OR CC0-1.0
55
*/
@@ -67,6 +67,12 @@ extern void btc_blufi_report_error(esp_blufi_error_state_t state);
6767

6868
void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free)
6969
{
70+
if (data == NULL || len < 3) {
71+
BLUFI_ERROR("BLUFI Invalid data format");
72+
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
73+
return;
74+
}
75+
7076
int ret;
7177
uint8_t type = data[0];
7278

@@ -96,6 +102,13 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
96102
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
97103
return;
98104
}
105+
106+
if (len < (blufi_sec->dh_param_len + 1)) {
107+
BLUFI_ERROR("%s, invalid dh param len\n", __func__);
108+
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
109+
return;
110+
}
111+
99112
uint8_t *param = blufi_sec->dh_param;
100113
memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len);
101114
ret = mbedtls_dhm_read_params(&blufi_sec->dhm, &param, &param[blufi_sec->dh_param_len]);
@@ -108,6 +121,12 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
108121
blufi_sec->dh_param = NULL;
109122

110123
const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm);
124+
125+
if (dhm_len > DH_SELF_PUB_KEY_LEN) {
126+
BLUFI_ERROR("%s dhm len not support %d\n", __func__, dhm_len);
127+
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
128+
}
129+
111130
ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, dhm_len, myrand, NULL);
112131
if (ret) {
113132
BLUFI_ERROR("%s make public failed %d\n", __func__, ret);

0 commit comments

Comments
 (0)