From 522371c3241fe02c09a4b6fdacb1a1254c44963a Mon Sep 17 00:00:00 2001 From: Pavel Vasilyev Date: Wed, 27 Aug 2025 14:12:00 +0200 Subject: [PATCH] bluetooth: mesh: pb_adv: check TotalLength against adv buf length Check that the buffer length of the received advertising data is less than reported TotalLength in Transaction Start PDU. Signed-off-by: Pavel Vasilyev --- subsys/bluetooth/mesh/pb_adv.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/subsys/bluetooth/mesh/pb_adv.c b/subsys/bluetooth/mesh/pb_adv.c index c6b3f77816548..4898c6c2f40da 100644 --- a/subsys/bluetooth/mesh/pb_adv.c +++ b/subsys/bluetooth/mesh/pb_adv.c @@ -634,6 +634,13 @@ static void gen_prov_start(struct prov_rx *rx, struct net_buf_simple *buf) return; } + if (link.rx.buf->len < buf->len) { + LOG_ERR("Invalid declared provisionig PDU length (%u > %u)", buf->len, + link.rx.buf->len); + prov_failed(PROV_ERR_NVAL_FMT); + return; + } + if (START_LAST_SEG(rx->gpc) > 0 && link.rx.buf->len <= 20U) { LOG_ERR("Too small total length for multi-segment PDU"); prov_failed(PROV_ERR_NVAL_FMT);