fix(ble/bluedroid): Add bounds check in ble_ancs example

2025-12-27 05:37:32 +00:00 · 2025-11-27 18:04:22 +08:00
parent cefe58de7d
commit 7e876249df
2 changed files with 42 additions and 6 deletions
--- a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c
+++ b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -126,14 +126,24 @@ void esp_receive_apple_data_source(uint8_t *message, uint16_t message_len)
    switch (Command_id)
    {
        case CommandIDGetNotificationAttributes: {
+            // Security fix: Check minimum message length before accessing message[1..4]
+            if (message_len < 5) {
+                ESP_LOGE(BLE_ANCS_TAG, "Message too short for NotificationAttributes");
+                break;
+            }
            uint32_t NotificationUID = (message[1]) | (message[2]<< 8) | (message[3]<< 16) | (message[4] << 24);
            uint32_t remian_attr_len = message_len - 5;
            uint8_t *attrs = &message[5];
            ESP_LOGI(BLE_ANCS_TAG, "recevice Notification Attributes response Command_id %d NotificationUID %" PRIu32, Command_id, NotificationUID);
            while(remian_attr_len > 0) {
+                // Security fix: Need at least 3 bytes for AttributeID(1) + len(2)
+                if (remian_attr_len < 3) {
+                    ESP_LOGE(BLE_ANCS_TAG, "Incomplete attribute header");
+                    break;
+                }
                uint8_t AttributeID = attrs[0];
                uint16_t len = attrs[1] | (attrs[2] << 8);
-                if(len > (remian_attr_len -3)) {
+                if(len > (remian_attr_len - 3)) {
                    ESP_LOGE(BLE_ANCS_TAG, "data error");
                    break;
                }
--- a/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c
+++ b/examples/bluetooth/bluedroid/ble/ble_ancs/main/ble_ancs_demo.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -31,6 +31,8 @@
 #define ADV_CONFIG_FLAG                           (1 << 0)
 #define SCAN_RSP_CONFIG_FLAG                      (1 << 1)
 #define INVALID_HANDLE                             0
+#define ANCS_CMD_BUFFER_MAX_SIZE                   600
+
 static uint8_t adv_config_done = 0;
 static bool get_service = false;
 static esp_gattc_char_elem_t *char_elem_result   = NULL;
@@ -168,15 +170,26 @@ esp_noti_attr_list_t p_attr[8] = {

 void esp_get_notification_attributes(uint8_t *notificationUID, uint8_t num_attr, esp_noti_attr_list_t *p_attr)
 {
-    uint8_t cmd[600] = {0};
+    uint8_t cmd[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
    uint32_t index = 0;
+
    cmd[0] = CommandIDGetNotificationAttributes;
    index ++;
    memcpy(&cmd[index], notificationUID, ESP_NOTIFICATIONUID_LEN);
    index += ESP_NOTIFICATIONUID_LEN;
    while(num_attr > 0) {
+        // Security fix: Check buffer boundary before writing
+        if (index >= ANCS_CMD_BUFFER_MAX_SIZE) {
+            ESP_LOGE(BLE_ANCS_TAG, "Command buffer overflow in get_notification_attributes");
+            return;
+        }
        cmd[index ++] = p_attr->noti_attribute_id;
        if (p_attr->attribute_len > 0) {
+            // Need 2 more bytes for attribute_len
+            if ((index + 2) > ANCS_CMD_BUFFER_MAX_SIZE) {
+                ESP_LOGE(BLE_ANCS_TAG, "Command buffer overflow in get_notification_attributes");
+                return;
+            }
            cmd[index ++] = p_attr->attribute_len;
            cmd[index ++] = (p_attr->attribute_len << 8);
        }
@@ -195,8 +208,15 @@ void esp_get_notification_attributes(uint8_t *notificationUID, uint8_t num_attr,

 void esp_get_app_attributes(uint8_t *appidentifier, uint16_t appidentifier_len, uint8_t num_attr, uint8_t *p_app_attrs)
 {
-    uint8_t buffer[600] = {0};
+    uint8_t buffer[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
    uint32_t index = 0;
+
+    // Security fix: Check buffer boundary before memcpy
+    if ((1 + appidentifier_len + num_attr) > ANCS_CMD_BUFFER_MAX_SIZE) {
+        ESP_LOGE(BLE_ANCS_TAG, "Buffer overflow in get_app_attributes");
+        return;
+    }
+
    buffer[0] = CommandIDGetAppAttributes;
    index ++;
    memcpy(&buffer[index], appidentifier, appidentifier_len);
@@ -215,7 +235,7 @@ void esp_get_app_attributes(uint8_t *appidentifier, uint16_t appidentifier_len,

 void esp_perform_notification_action(uint8_t *notificationUID, uint8_t ActionID)
 {
-    uint8_t buffer[600] = {0};
+    uint8_t buffer[ANCS_CMD_BUFFER_MAX_SIZE] = {0};
    uint32_t index = 0;
    buffer[0] = CommandIDPerformNotificationAction;
    index ++;
@@ -517,6 +537,12 @@ static void gattc_profile_event_handler(esp_gattc_cb_event_t event, esp_gatt_if_
                esp_get_notification_attributes(notificationUID, sizeof(p_attr)/sizeof(esp_noti_attr_list_t), p_attr);
             }
        } else if (param->notify.handle == gl_profile_tab[PROFILE_A_APP_ID].data_source_handle) {
+            if ((data_buffer.len + param->notify.value_len) > sizeof(data_buffer.buffer)) {
+                ESP_LOGE(BLE_ANCS_TAG, "Data source buffer overflow detected, discarding data");
+                memset(data_buffer.buffer, 0, sizeof(data_buffer.buffer));
+                data_buffer.len = 0;
+                break;
+            }
            memcpy(&data_buffer.buffer[data_buffer.len], param->notify.value, param->notify.value_len);
            data_buffer.len += param->notify.value_len;
            if (param->notify.value_len == (gl_profile_tab[PROFILE_A_APP_ID].MTU_size - 3)) {