From 1aa40de9346c10a3fc03080c004c7799f8a9e70f Mon Sep 17 00:00:00 2001
From: Chinmay Chhajed <chinmay.chhajed@espressif.com>
Date: Thu, 20 Aug 2020 14:42:46 +0530
Subject: [PATCH] NimBLE: host_rcv_pkt event buf size check.

Check if the size of HCI event buffer is greater than the received HCI
packet. If not then abort with the error message.
---
 components/nimble/esp-hci/src/esp_nimble_hci.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/components/nimble/esp-hci/src/esp_nimble_hci.c b/components/nimble/esp-hci/src/esp_nimble_hci.c
index 92acaf6a0..3220c2271 100644
--- a/components/nimble/esp-hci/src/esp_nimble_hci.c
+++ b/components/nimble/esp-hci/src/esp_nimble_hci.c
@@ -341,6 +341,13 @@ static int host_rcv_pkt(uint8_t *data, uint16_t len)
         totlen = BLE_HCI_EVENT_HDR_LEN + data[2];
         assert(totlen <= UINT8_MAX + BLE_HCI_EVENT_HDR_LEN);
 
+        if (totlen > MYNEWT_VAL(BLE_HCI_EVT_BUF_SIZE)) {
+            ESP_LOGE(TAG, "Received HCI data length at host (%d) exceeds maximum configured HCI event buffer size (%d).",
+                     totlen, MYNEWT_VAL(BLE_HCI_EVT_BUF_SIZE));
+            ble_hs_sched_reset(BLE_HS_ECONTROLLER);
+            return 0;
+        }
+
         if (data[1] == BLE_HCI_EVCODE_HW_ERROR) {
             assert(0);
         }