diff --git a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_local_data_operation_api.c b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_local_data_operation_api.c index 656cae4f0..5d86dda5a 100644 --- a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_local_data_operation_api.c +++ b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_local_data_operation_api.c @@ -44,6 +44,9 @@ uint16_t *esp_ble_mesh_is_model_subscribed_to_group(esp_ble_mesh_model_t *model, esp_ble_mesh_elem_t *esp_ble_mesh_find_element(uint16_t element_addr) { + if (!ESP_BLE_MESH_ADDR_IS_UNICAST(element_addr)) { + return NULL; + } return btc_ble_mesh_elem_find(element_addr); } diff --git a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_networking_api.c b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_networking_api.c index 7d30b3a64..0f36723e5 100644 --- a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_networking_api.c +++ b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_networking_api.c @@ -268,7 +268,8 @@ esp_err_t esp_ble_mesh_provisioner_set_node_name(uint16_t index, const char *nam arg.set_node_name.index = index; memset(arg.set_node_name.name, 0, sizeof(arg.set_node_name.name)); - memcpy(arg.set_node_name.name, name, strlen(name)); + strncpy(arg.set_node_name.name, name, ESP_BLE_MESH_NODE_NAME_MAX_LEN); + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } diff --git a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_provisioning_api.c b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_provisioning_api.c index c3dfdc04a..b1f19cb91 100644 --- a/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_provisioning_api.c +++ b/components/bt/esp_ble_mesh/api/core/esp_ble_mesh_provisioning_api.c @@ -118,7 +118,7 @@ esp_err_t esp_ble_mesh_node_input_string(const char *string) btc_ble_mesh_prov_args_t arg = {0}; btc_msg_t msg = {0}; - if (!string) { + if (!string || strlen(string) > ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN) { return ESP_ERR_INVALID_ARG; } @@ -128,7 +128,8 @@ esp_err_t esp_ble_mesh_node_input_string(const char *string) msg.pid = BTC_PID_PROV; msg.act = BTC_BLE_MESH_ACT_INPUT_STRING; memset(arg.input_string.string, 0, sizeof(arg.input_string.string)); - strncpy(arg.input_string.string, string, strlen(string)); + strncpy(arg.input_string.string, string, + MIN(strlen(string), sizeof(arg.input_string.string))); return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); @@ -150,7 +151,8 @@ esp_err_t esp_ble_mesh_set_unprovisioned_device_name(const char *name) msg.act = BTC_BLE_MESH_ACT_SET_DEVICE_NAME; memset(arg.set_device_name.name, 0, sizeof(arg.set_device_name.name)); - memcpy(arg.set_device_name.name, name, strlen(name)); + strncpy(arg.set_device_name.name, name, ESP_BLE_MESH_DEVICE_NAME_MAX_LEN); + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -185,7 +187,8 @@ esp_err_t esp_ble_mesh_provisioner_input_string(const char *string, uint8_t link btc_ble_mesh_prov_args_t arg = {0}; btc_msg_t msg = {0}; - if (!string || link_idx >= MAX_PROV_LINK_IDX) { + if (!string || strlen(string) > ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN || + link_idx >= MAX_PROV_LINK_IDX) { return ESP_ERR_INVALID_ARG; } @@ -196,7 +199,8 @@ esp_err_t esp_ble_mesh_provisioner_input_string(const char *string, uint8_t link msg.act = BTC_BLE_MESH_ACT_PROVISIONER_INPUT_STR; memset(arg.provisioner_input_str.string, 0, sizeof(arg.provisioner_input_str.string)); - strncpy(arg.provisioner_input_str.string, string, strlen(string)); + strncpy(arg.provisioner_input_str.string, string, + MIN(strlen(string), sizeof(arg.provisioner_input_str.string))); arg.provisioner_input_str.link_idx = link_idx; return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL) @@ -350,6 +354,10 @@ esp_err_t esp_ble_mesh_provisioner_set_dev_uuid_match(const uint8_t *match_val, btc_ble_mesh_prov_args_t arg = {0}; btc_msg_t msg = {0}; + if (match_len + offset > ESP_BLE_MESH_OCTET16_LEN) { + return ESP_ERR_INVALID_ARG; + } + ESP_BLE_HOST_STATUS_CHECK(ESP_BLE_HOST_STATUS_ENABLED); msg.sig = BTC_SIG_API_CALL; @@ -446,7 +454,8 @@ esp_err_t esp_ble_mesh_set_fast_prov_info(esp_ble_mesh_fast_prov_info_t *fast_pr btc_ble_mesh_prov_args_t arg = {0}; btc_msg_t msg = {0}; - if (fast_prov_info == NULL) { + if (fast_prov_info == NULL || (fast_prov_info->offset + + fast_prov_info->match_len > ESP_BLE_MESH_OCTET16_LEN)) { return ESP_ERR_INVALID_ARG; } diff --git a/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h b/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h index 68ea90a3b..acc8a818e 100644 --- a/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h +++ b/components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h @@ -242,6 +242,15 @@ typedef enum { ESP_BLE_MESH_PROV_OOB_ON_DEV = BIT(15), } esp_ble_mesh_prov_oob_info_t; +/*!< Maximum length of value used by Static OOB authentication */ +#define ESP_BLE_MESH_PROV_STATIC_OOB_MAX_LEN 16 + +/*!< Maximum length of string used by Output OOB authentication */ +#define ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN 8 + +/*!< Maximum length of string used by Output OOB authentication */ +#define ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN 8 + /*!< Macros used to define message opcode */ #define ESP_BLE_MESH_MODEL_OP_1(b0) (b0) #define ESP_BLE_MESH_MODEL_OP_2(b0, b1) (((b0) << 8) | (b1)) @@ -697,7 +706,7 @@ typedef struct { uint8_t dev_key[16]; /*!< Node device key */ /* Additional information */ - char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN]; /*!< Node name */ + char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN + 1]; /*!< Node name */ uint16_t comp_length; /*!< Length of Composition Data */ uint8_t *comp_data; /*!< Value of Composition Data */ } __attribute__((packed)) esp_ble_mesh_node_t; diff --git a/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c b/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c index cf2a3825f..f136b615a 100644 --- a/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c +++ b/components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c @@ -560,7 +560,8 @@ static int btc_ble_mesh_output_string_cb(const char *str) BT_DBG("%s", __func__); - strncpy(mesh_param.node_prov_output_str.string, str, strlen(str)); + strncpy(mesh_param.node_prov_output_str.string, str, + MIN(strlen(str), sizeof(mesh_param.node_prov_output_str.string))); ret = btc_ble_mesh_prov_callback(&mesh_param, ESP_BLE_MESH_NODE_PROV_OUTPUT_STRING_EVT); return (ret == BT_STATUS_SUCCESS) ? 0 : -1; diff --git a/components/bt/esp_ble_mesh/btc/include/btc_ble_mesh_prov.h b/components/bt/esp_ble_mesh/btc/include/btc_ble_mesh_prov.h index 8450c93ba..2f7540e91 100644 --- a/components/bt/esp_ble_mesh/btc/include/btc_ble_mesh_prov.h +++ b/components/bt/esp_ble_mesh/btc/include/btc_ble_mesh_prov.h @@ -103,7 +103,7 @@ typedef union { char string[8]; } input_string; struct ble_mesh_set_device_name_args { - char name[ESP_BLE_MESH_DEVICE_NAME_MAX_LEN]; + char name[ESP_BLE_MESH_DEVICE_NAME_MAX_LEN + 1]; } set_device_name; struct ble_mesh_provisioner_read_oob_pub_key_args { uint8_t link_idx; @@ -157,7 +157,7 @@ typedef union { } set_primary_elem_addr; struct ble_mesh_provisioner_set_node_name_args { uint16_t index; - char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN]; + char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN + 1]; } set_node_name; struct ble_mesh_provisioner_add_local_app_key_args { uint8_t app_key[16]; diff --git a/components/bt/esp_ble_mesh/mesh_core/include/mesh_main.h b/components/bt/esp_ble_mesh/mesh_core/include/mesh_main.h index f93db25c6..362c0bec6 100644 --- a/components/bt/esp_ble_mesh/mesh_core/include/mesh_main.h +++ b/components/bt/esp_ble_mesh/mesh_core/include/mesh_main.h @@ -62,6 +62,10 @@ typedef enum { BLE_MESH_PROV_OOB_ON_DEV = BIT(15), } bt_mesh_prov_oob_info_t; +#define BLE_MESH_PROV_STATIC_OOB_MAX_LEN 16 +#define BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN 8 +#define BLE_MESH_PROV_INPUT_OOB_MAX_LEN 8 + /** Provisioning properties & capabilities. */ struct bt_mesh_prov { #if CONFIG_BLE_MESH_NODE diff --git a/components/bt/esp_ble_mesh/mesh_core/prov.c b/components/bt/esp_ble_mesh/mesh_core/prov.c index 6f95087c0..bc36a6efb 100644 --- a/components/bt/esp_ble_mesh/mesh_core/prov.c +++ b/components/bt/esp_ble_mesh/mesh_core/prov.c @@ -1743,6 +1743,13 @@ int bt_mesh_prov_init(const struct bt_mesh_prov *prov_info) return -EINVAL; } + if (prov_info->static_val_len > BLE_MESH_PROV_STATIC_OOB_MAX_LEN || + prov_info->output_size > BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN || + prov_info->input_size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) { + BT_ERR("%s, Invalid auth oob length", __func__); + return -EINVAL; + } + /* Changed by Espressif. Use micro-ecc to generate public key now. */ key = bt_mesh_pub_key_get(); if (!key) { diff --git a/components/bt/esp_ble_mesh/mesh_core/provisioner_main.c b/components/bt/esp_ble_mesh/mesh_core/provisioner_main.c index f84fcd491..e1d7df4f2 100644 --- a/components/bt/esp_ble_mesh/mesh_core/provisioner_main.c +++ b/components/bt/esp_ble_mesh/mesh_core/provisioner_main.c @@ -490,6 +490,8 @@ int bt_mesh_provisioner_restore_node_name(u16_t addr, const char *name) } strncpy(node->name, name, BLE_MESH_NODE_NAME_SIZE); + node->name[BLE_MESH_NODE_NAME_SIZE] = 0; + return 0; } @@ -625,7 +627,7 @@ int bt_mesh_provisioner_set_node_name(u16_t index, const char *name) } } - memset(mesh_nodes[index]->name, 0, BLE_MESH_NODE_NAME_SIZE); + memset(mesh_nodes[index]->name, 0, sizeof(mesh_nodes[index]->name)); strncpy(mesh_nodes[index]->name, name, length); if (IS_ENABLED(CONFIG_BLE_MESH_SETTINGS)) { diff --git a/components/bt/esp_ble_mesh/mesh_core/provisioner_main.h b/components/bt/esp_ble_mesh/mesh_core/provisioner_main.h index fcee9fdd9..f5552cd24 100644 --- a/components/bt/esp_ble_mesh/mesh_core/provisioner_main.h +++ b/components/bt/esp_ble_mesh/mesh_core/provisioner_main.h @@ -42,7 +42,7 @@ struct bt_mesh_node { u8_t dev_key[16]; /* Node device key */ /* Additional information */ - char name[BLE_MESH_NODE_NAME_SIZE]; /* Node name */ + char name[BLE_MESH_NODE_NAME_SIZE + 1]; /* Node name */ u16_t comp_length; /* Length of Composition Data */ u8_t *comp_data; /* Value of Composition Data */ } __packed; diff --git a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c index 7c930965b..1a1870750 100644 --- a/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c +++ b/components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c @@ -2178,6 +2178,11 @@ int bt_mesh_provisioner_set_oob_output_data(const u8_t idx, const u8_t *num, u8_ * Parameter num_flag is used to indicate whether the value * output by provisioner is number or string. */ + if (num == NULL || size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) { + BT_ERR("%s, Invalid parameter", __func__); + return -EINVAL; + } + if (!link[idx].auth) { BT_ERR("%s, link auth is NULL", __func__); return -EINVAL; diff --git a/components/bt/esp_ble_mesh/mesh_core/proxy_client.c b/components/bt/esp_ble_mesh/mesh_core/proxy_client.c index fc3472667..784eed645 100644 --- a/components/bt/esp_ble_mesh/mesh_core/proxy_client.c +++ b/components/bt/esp_ble_mesh/mesh_core/proxy_client.c @@ -660,6 +660,11 @@ void bt_mesh_proxy_client_adv_ind_recv(struct net_buf_simple *buf, const bt_mesh switch (type) { case BLE_MESH_PROXY_ADV_NET_ID: { + if (buf->len != sizeof(ctx.net_id.net_id)) { + BT_WARN("Malformed Network ID"); + return; + } + struct bt_mesh_subnet *sub = NULL; sub = bt_mesh_is_net_id_exist(buf->data); if (!sub) { diff --git a/components/bt/esp_ble_mesh/mesh_core/proxy_server.c b/components/bt/esp_ble_mesh/mesh_core/proxy_server.c index 676b53388..72e443a90 100644 --- a/components/bt/esp_ble_mesh/mesh_core/proxy_server.c +++ b/components/bt/esp_ble_mesh/mesh_core/proxy_server.c @@ -109,7 +109,7 @@ static enum { MESH_GATT_PROXY, } gatt_svc = MESH_GATT_NONE; -static char device_name[DEVICE_NAME_SIZE] = "ESP-BLE-MESH"; +static char device_name[DEVICE_NAME_SIZE + 1] = "ESP-BLE-MESH"; int bt_mesh_set_device_name(const char *name) { @@ -124,7 +124,7 @@ int bt_mesh_set_device_name(const char *name) } memset(device_name, 0x0, sizeof(device_name)); - memcpy(device_name, name, strlen(name)); + strncpy(device_name, name, DEVICE_NAME_SIZE); return bt_mesh_gatts_set_local_device_name(device_name); } diff --git a/components/bt/esp_ble_mesh/mesh_core/settings.c b/components/bt/esp_ble_mesh/mesh_core/settings.c index 09f6dd055..81ae7ca77 100644 --- a/components/bt/esp_ble_mesh/mesh_core/settings.c +++ b/components/bt/esp_ble_mesh/mesh_core/settings.c @@ -1081,7 +1081,7 @@ static int node_info_set(u16_t addr, bool *exist) static int node_name_set(u16_t addr) { - char name[BLE_MESH_NODE_NAME_SIZE] = {0}; + char name[BLE_MESH_NODE_NAME_SIZE + 1] = {0}; char get[16] = {'\0'}; bool exist = false; int err = 0; @@ -2512,7 +2512,7 @@ void bt_mesh_clear_node_info(u16_t unicast_addr) void bt_mesh_store_node_name(struct bt_mesh_node *node) { - char node_name[BLE_MESH_NODE_NAME_SIZE] = {0}; + char node_name[BLE_MESH_NODE_NAME_SIZE + 1] = {0}; char name[16] = {'\0'}; int err = 0; @@ -2521,7 +2521,7 @@ void bt_mesh_store_node_name(struct bt_mesh_node *node) return; } - strncpy(node_name, node->name, BLE_MESH_NODE_NAME_SIZE); + strncpy(node_name, node->name, BLE_MESH_NODE_NAME_SIZE + 1); sprintf(name, "mesh/pn/%04x/n", node->unicast_addr); err = bt_mesh_save_core_settings(name, (const u8_t *)node_name, BLE_MESH_NODE_NAME_SIZE); diff --git a/examples/bluetooth/esp_ble_mesh/ble_mesh_fast_provision/ble_mesh_fast_prov_client/main/ble_mesh_demo_main.c b/examples/bluetooth/esp_ble_mesh/ble_mesh_fast_provision/ble_mesh_fast_prov_client/main/ble_mesh_demo_main.c index 27e93638d..926f96d98 100644 --- a/examples/bluetooth/esp_ble_mesh/ble_mesh_fast_provision/ble_mesh_fast_prov_client/main/ble_mesh_demo_main.c +++ b/examples/bluetooth/esp_ble_mesh/ble_mesh_fast_provision/ble_mesh_fast_prov_client/main/ble_mesh_demo_main.c @@ -138,7 +138,7 @@ static void provisioner_prov_complete(int node_index, const uint8_t uuid[16], ui uint8_t elem_num, uint16_t net_idx) { example_node_info_t *node = NULL; - char name[10]; + char name[11] = {0}; esp_err_t err; ESP_LOGI(TAG, "Node index: 0x%x, unicast address: 0x%02x, element num: %d, netkey index: 0x%02x", diff --git a/examples/bluetooth/esp_ble_mesh/ble_mesh_provisioner/main/ble_mesh_demo_main.c b/examples/bluetooth/esp_ble_mesh/ble_mesh_provisioner/main/ble_mesh_demo_main.c index d85fcad7f..4be356ad6 100644 --- a/examples/bluetooth/esp_ble_mesh/ble_mesh_provisioner/main/ble_mesh_demo_main.c +++ b/examples/bluetooth/esp_ble_mesh/ble_mesh_provisioner/main/ble_mesh_demo_main.c @@ -191,7 +191,7 @@ static esp_err_t prov_complete(int node_idx, const esp_ble_mesh_octet16_t uuid, esp_ble_mesh_client_common_param_t common = {0}; esp_ble_mesh_cfg_client_get_state_t get_state = {0}; esp_ble_mesh_node_info_t *node = NULL; - char name[10]; + char name[11] = {0}; int err; ESP_LOGI(TAG, "node index: 0x%x, unicast address: 0x%02x, element num: %d, netkey index: 0x%02x", diff --git a/examples/bluetooth/esp_ble_mesh/common_vendor_models/fast_prov_vendor_model/components/esp_fast_prov_server_model.c b/examples/bluetooth/esp_ble_mesh/common_vendor_models/fast_prov_vendor_model/components/esp_fast_prov_server_model.c index d5dd42c0a..9168aeab3 100644 --- a/examples/bluetooth/esp_ble_mesh/common_vendor_models/fast_prov_vendor_model/components/esp_fast_prov_server_model.c +++ b/examples/bluetooth/esp_ble_mesh/common_vendor_models/fast_prov_vendor_model/components/esp_fast_prov_server_model.c @@ -139,7 +139,7 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model, * status_bit_mask (2) + status_ctx_flag (1) + status_unicast (1) + status_net_idx (1) + * status_group (1) + status_pri_prov (1) + status_match (1) + status_action (1). */ - uint8_t match_len = 0, match_val[16]; + uint8_t match_len = 0, match_val[16] = {0}; uint8_t status_unicast = 0; uint8_t flags = 0; @@ -186,6 +186,11 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model, uint16_t pri_prov_addr = (ctx_flags & BIT(7)) ? net_buf_simple_pull_le16(buf) : ESP_BLE_MESH_ADDR_UNASSIGNED; if (ctx_flags & BIT(8)) { match_len = buf->len - ((ctx_flags & BIT(9)) ? 1 : 0); + if (match_len > ESP_BLE_MESH_OCTET16_LEN) { + net_buf_simple_add_le16(msg, BIT(5)); + net_buf_simple_add_u8(msg, 0x01); /* too large match value length */ + break; + } memcpy(match_val, buf->data, match_len); net_buf_simple_pull(buf, match_len); } @@ -249,14 +254,6 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model, } } - if (ctx_flags & BIT(8)) { - if (match_len > 16) { - net_buf_simple_add_le16(msg, BIT(5)); - net_buf_simple_add_u8(msg, 0x01); /* too large match value length */ - break; - } - } - if (ctx_flags & BIT(9)) { if ((action & BIT_MASK(2)) != FAST_PROV_ACT_ENTER) { net_buf_simple_add_le16(msg, BIT(6));