Bluetooth: Host: Add a validation for hci_le_read_max_data_len()

Check max_tx_octects and max_tx_time are in the valid range, according to the BT Core spec 5.4 [Vol 4, Part E, 7.8.46] Fix #70472 Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
zephyrproject-rtos · Mar 21, 2024 · b13a27e · b13a27e
1 parent c74d60d
commit b13a27e
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/include/zephyr/bluetooth/hci_types.h b/include/zephyr/bluetooth/hci_types.h
@@ -1272,6 +1272,17 @@ struct bt_hci_cp_le_set_rpa_timeout {
 	uint16_t rpa_timeout;
 } __packed;
 
+/* All limits according to BT Core spec 5.4 [Vol 4, Part E, 7.8.46] */
+#define BT_HCI_LE_MAX_TX_OCTETS_MIN             0x001B
+#define BT_HCI_LE_MAX_TX_OCTETS_MAX             0x00FB
+#define BT_HCI_LE_MAX_RX_OCTETS_MIN             0x001B
+#define BT_HCI_LE_MAX_RX_OCTETS_MAX             0x00FB
+
+#define BT_HCI_LE_MAX_TX_TIME_MIN               0x0148
+#define BT_HCI_LE_MAX_TX_TIME_MAX               0x4290
+#define BT_HCI_LE_MAX_RX_TIME_MIN               0x0148
+#define BT_HCI_LE_MAX_RX_TIME_MAX               0x4290
+
 #define BT_HCI_OP_LE_READ_MAX_DATA_LEN          BT_OP(BT_OGF_LE, 0x002f) /* 0x202f */
 struct bt_hci_rp_le_read_max_data_len {
 	uint8_t  status;

diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c
@@ -407,6 +407,15 @@ static int hci_le_read_max_data_len(uint16_t *tx_octets, uint16_t *tx_time)
 	*tx_time = sys_le16_to_cpu(rp->max_tx_time);
 	net_buf_unref(rsp);
 
+	if (*tx_octets < BT_HCI_LE_MAX_TX_OCTETS_MIN ||
+           *tx_octets > BT_HCI_LE_MAX_TX_OCTETS_MAX) {
+		LOG_WRN("tx_octets exceeds the valid range %u", *tx_octets);
+	}
+	if (*tx_time < BT_HCI_LE_MAX_TX_TIME_MIN ||
+           *tx_time > BT_HCI_LE_MAX_TX_TIME_MAX) {
+		LOG_WRN("tx_time exceeds the valid range %u", *tx_time);
+	}
+
 	return 0;
 }
 
@@ -1682,6 +1691,23 @@ static void le_data_len_change(struct net_buf *buf)
 	uint16_t max_tx_time = sys_le16_to_cpu(evt->max_tx_time);
 	uint16_t max_rx_time = sys_le16_to_cpu(evt->max_rx_time);
 
+	if (max_tx_octets < BT_HCI_LE_MAX_TX_OCTETS_MIN ||
+           max_tx_octets > BT_HCI_LE_MAX_TX_OCTETS_MAX) {
+		LOG_WRN("max_tx_octets exceeds the valid range %u", max_tx_octets);
+	}
+	if (max_rx_octets < BT_HCI_LE_MAX_RX_OCTETS_MIN ||
+           max_rx_octets > BT_HCI_LE_MAX_RX_OCTETS_MAX) {
+		LOG_WRN("max_rx_octets exceeds the valid range %u", max_rx_octets);
+	}
+	if (max_tx_time < BT_HCI_LE_MAX_TX_TIME_MIN ||
+           max_tx_time > BT_HCI_LE_MAX_TX_TIME_MAX) {
+		LOG_WRN("max_tx_time exceeds the valid range %u", max_tx_time);
+	}
+	if (max_rx_time < BT_HCI_LE_MAX_RX_TIME_MIN ||
+           max_rx_time > BT_HCI_LE_MAX_RX_TIME_MAX) {
+		LOG_WRN("max_rx_time exceeds the valid range %u", max_rx_time);
+	}
+
 	LOG_DBG("max. tx: %u (%uus), max. rx: %u (%uus)", max_tx_octets, max_tx_time, max_rx_octets,
 		max_rx_time);