ble_mesh: Add length check for some mesh operations

This commit is contained in:
lly 2020-04-01 20:02:10 +08:00
parent 6e7d43dd89
commit 1432daf4c6
8 changed files with 48 additions and 12 deletions

View file

@ -44,6 +44,9 @@ uint16_t *esp_ble_mesh_is_model_subscribed_to_group(esp_ble_mesh_model_t *model,
esp_ble_mesh_elem_t *esp_ble_mesh_find_element(uint16_t element_addr) esp_ble_mesh_elem_t *esp_ble_mesh_find_element(uint16_t element_addr)
{ {
if (!ESP_BLE_MESH_ADDR_IS_UNICAST(element_addr)) {
return NULL;
}
return btc_ble_mesh_elem_find(element_addr); return btc_ble_mesh_elem_find(element_addr);
} }

View file

@ -118,7 +118,7 @@ esp_err_t esp_ble_mesh_node_input_string(const char *string)
btc_ble_mesh_prov_args_t arg = {0}; btc_ble_mesh_prov_args_t arg = {0};
btc_msg_t msg = {0}; btc_msg_t msg = {0};
if (!string) { if (!string || strlen(string) > ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
return ESP_ERR_INVALID_ARG; return ESP_ERR_INVALID_ARG;
} }
@ -187,7 +187,8 @@ esp_err_t esp_ble_mesh_provisioner_input_string(const char *string, uint8_t link
btc_ble_mesh_prov_args_t arg = {0}; btc_ble_mesh_prov_args_t arg = {0};
btc_msg_t msg = {0}; btc_msg_t msg = {0};
if (!string || link_idx >= MAX_PROV_LINK_IDX) { if (!string || strlen(string) > ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN ||
link_idx >= MAX_PROV_LINK_IDX) {
return ESP_ERR_INVALID_ARG; return ESP_ERR_INVALID_ARG;
} }
@ -353,6 +354,10 @@ esp_err_t esp_ble_mesh_provisioner_set_dev_uuid_match(const uint8_t *match_val,
btc_ble_mesh_prov_args_t arg = {0}; btc_ble_mesh_prov_args_t arg = {0};
btc_msg_t msg = {0}; btc_msg_t msg = {0};
if (match_len + offset > ESP_BLE_MESH_OCTET16_LEN) {
return ESP_ERR_INVALID_ARG;
}
ESP_BLE_HOST_STATUS_CHECK(ESP_BLE_HOST_STATUS_ENABLED); ESP_BLE_HOST_STATUS_CHECK(ESP_BLE_HOST_STATUS_ENABLED);
msg.sig = BTC_SIG_API_CALL; msg.sig = BTC_SIG_API_CALL;
@ -449,7 +454,8 @@ esp_err_t esp_ble_mesh_set_fast_prov_info(esp_ble_mesh_fast_prov_info_t *fast_pr
btc_ble_mesh_prov_args_t arg = {0}; btc_ble_mesh_prov_args_t arg = {0};
btc_msg_t msg = {0}; btc_msg_t msg = {0};
if (fast_prov_info == NULL) { if (fast_prov_info == NULL || (fast_prov_info->offset +
fast_prov_info->match_len > ESP_BLE_MESH_OCTET16_LEN)) {
return ESP_ERR_INVALID_ARG; return ESP_ERR_INVALID_ARG;
} }

View file

@ -238,6 +238,15 @@ typedef enum {
ESP_BLE_MESH_PROV_OOB_ON_DEV = BIT(15), ESP_BLE_MESH_PROV_OOB_ON_DEV = BIT(15),
} esp_ble_mesh_prov_oob_info_t; } esp_ble_mesh_prov_oob_info_t;
/*!< Maximum length of value used by Static OOB authentication */
#define ESP_BLE_MESH_PROV_STATIC_OOB_MAX_LEN 16
/*!< Maximum length of string used by Output OOB authentication */
#define ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN 8
/*!< Maximum length of string used by Output OOB authentication */
#define ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN 8
/*!< Macros used to define message opcode */ /*!< Macros used to define message opcode */
#define ESP_BLE_MESH_MODEL_OP_1(b0) (b0) #define ESP_BLE_MESH_MODEL_OP_1(b0) (b0)
#define ESP_BLE_MESH_MODEL_OP_2(b0, b1) (((b0) << 8) | (b1)) #define ESP_BLE_MESH_MODEL_OP_2(b0, b1) (((b0) << 8) | (b1))

View file

@ -58,6 +58,10 @@ typedef enum {
BLE_MESH_PROV_OOB_ON_DEV = BIT(15), BLE_MESH_PROV_OOB_ON_DEV = BIT(15),
} bt_mesh_prov_oob_info_t; } bt_mesh_prov_oob_info_t;
#define BLE_MESH_PROV_STATIC_OOB_MAX_LEN 16
#define BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN 8
#define BLE_MESH_PROV_INPUT_OOB_MAX_LEN 8
/** Provisioning properties & capabilities. */ /** Provisioning properties & capabilities. */
struct bt_mesh_prov { struct bt_mesh_prov {
#if CONFIG_BLE_MESH_NODE #if CONFIG_BLE_MESH_NODE

View file

@ -1743,6 +1743,13 @@ int bt_mesh_prov_init(const struct bt_mesh_prov *prov_info)
return -EINVAL; return -EINVAL;
} }
if (prov_info->static_val_len > BLE_MESH_PROV_STATIC_OOB_MAX_LEN ||
prov_info->output_size > BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN ||
prov_info->input_size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
BT_ERR("%s, Invalid auth oob length", __func__);
return -EINVAL;
}
/* Changed by Espressif. Use micro-ecc to generate public key now. */ /* Changed by Espressif. Use micro-ecc to generate public key now. */
key = bt_mesh_pub_key_get(); key = bt_mesh_pub_key_get();
if (!key) { if (!key) {

View file

@ -2178,6 +2178,11 @@ int bt_mesh_provisioner_set_oob_output_data(const u8_t idx, const u8_t *num, u8_
* Parameter num_flag is used to indicate whether the value * Parameter num_flag is used to indicate whether the value
* output by provisioner is number or string. * output by provisioner is number or string.
*/ */
if (num == NULL || size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
BT_ERR("%s, Invalid parameter", __func__);
return -EINVAL;
}
if (!link[idx].auth) { if (!link[idx].auth) {
BT_ERR("%s, link auth is NULL", __func__); BT_ERR("%s, link auth is NULL", __func__);
return -EINVAL; return -EINVAL;

View file

@ -660,6 +660,11 @@ void bt_mesh_proxy_client_adv_ind_recv(struct net_buf_simple *buf, const bt_mesh
switch (type) { switch (type) {
case BLE_MESH_PROXY_ADV_NET_ID: { case BLE_MESH_PROXY_ADV_NET_ID: {
if (buf->len != sizeof(ctx.net_id.net_id)) {
BT_WARN("Malformed Network ID");
return;
}
struct bt_mesh_subnet *sub = NULL; struct bt_mesh_subnet *sub = NULL;
sub = bt_mesh_is_net_id_exist(buf->data); sub = bt_mesh_is_net_id_exist(buf->data);
if (!sub) { if (!sub) {

View file

@ -139,7 +139,7 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
* status_bit_mask (2) + status_ctx_flag (1) + status_unicast (1) + status_net_idx (1) + * status_bit_mask (2) + status_ctx_flag (1) + status_unicast (1) + status_net_idx (1) +
* status_group (1) + status_pri_prov (1) + status_match (1) + status_action (1). * status_group (1) + status_pri_prov (1) + status_match (1) + status_action (1).
*/ */
uint8_t match_len = 0, match_val[16]; uint8_t match_len = 0, match_val[16] = {0};
uint8_t status_unicast = 0; uint8_t status_unicast = 0;
uint8_t flags = 0; uint8_t flags = 0;
@ -186,6 +186,11 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
uint16_t pri_prov_addr = (ctx_flags & BIT(7)) ? net_buf_simple_pull_le16(buf) : ESP_BLE_MESH_ADDR_UNASSIGNED; uint16_t pri_prov_addr = (ctx_flags & BIT(7)) ? net_buf_simple_pull_le16(buf) : ESP_BLE_MESH_ADDR_UNASSIGNED;
if (ctx_flags & BIT(8)) { if (ctx_flags & BIT(8)) {
match_len = buf->len - ((ctx_flags & BIT(9)) ? 1 : 0); match_len = buf->len - ((ctx_flags & BIT(9)) ? 1 : 0);
if (match_len > ESP_BLE_MESH_OCTET16_LEN) {
net_buf_simple_add_le16(msg, BIT(5));
net_buf_simple_add_u8(msg, 0x01); /* too large match value length */
break;
}
memcpy(match_val, buf->data, match_len); memcpy(match_val, buf->data, match_len);
net_buf_simple_pull(buf, match_len); net_buf_simple_pull(buf, match_len);
} }
@ -249,14 +254,6 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
} }
} }
if (ctx_flags & BIT(8)) {
if (match_len > 16) {
net_buf_simple_add_le16(msg, BIT(5));
net_buf_simple_add_u8(msg, 0x01); /* too large match value length */
break;
}
}
if (ctx_flags & BIT(9)) { if (ctx_flags & BIT(9)) {
if ((action & BIT_MASK(2)) != FAST_PROV_ACT_ENTER) { if ((action & BIT_MASK(2)) != FAST_PROV_ACT_ENTER) {
net_buf_simple_add_le16(msg, BIT(6)); net_buf_simple_add_le16(msg, BIT(6));