fix(bt/bluedroid): fixed an OOB bug in btm_read_local_oob_complete

2026-06-04 20:26:38 +03:00 · 2025-10-11 19:10:42 +08:00
parent 55e53f77f4
commit 70d5bb6d8c
4 changed files with 21 additions and 5 deletions
--- a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c
@@ -227,6 +227,7 @@ void btm_ble_update_resolving_list(BD_ADDR pseudo_bda, BOOLEAN add)
 void btm_ble_clear_resolving_list_complete(UINT8 *p, UINT16 evt_len)
 {
    UINT8 status = 0;
+
    STREAM_TO_UINT8(status, p);

    BTM_TRACE_DEBUG("%s status=%d", __func__, status);
--- a/components/bt/host/bluedroid/stack/btm/btm_sec.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c
@@ -3792,13 +3792,27 @@ void btm_rem_oob_req (UINT8 *p)
 ** Returns          void
 **
 *******************************************************************************/
-void btm_read_local_oob_complete (UINT8 *p)
+void btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len)
 {
    tBTM_SP_LOC_OOB evt_data;
-    UINT8           status = *p++;
+    UINT8           status;
+
+    if (evt_len < 1) {
+        BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
+        evt_data.status = BTM_ERR_PROCESSING;
+        goto err_out;
+    }
+
+    STREAM_TO_UINT8(status, p);

    BTM_TRACE_EVENT ("btm_read_local_oob_complete:%d\n", status);
    if (status == HCI_SUCCESS) {
+        if (evt_len < 1 + 32) {
+            BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
+            evt_data.status = BTM_ERR_PROCESSING;
+            goto err_out;
+        }
+
        evt_data.status = BTM_SUCCESS;
        STREAM_TO_ARRAY16(evt_data.c, p);
        STREAM_TO_ARRAY16(evt_data.r, p);
@@ -3806,6 +3820,7 @@ void btm_read_local_oob_complete (UINT8 *p)
        evt_data.status = BTM_ERR_PROCESSING;
    }

+err_out:
    if (btm_cb.api.p_sp_callback) {
        (*btm_cb.api.p_sp_callback) (BTM_SP_LOC_OOB_EVT, (tBTM_SP_EVT_DATA *)&evt_data);
    }
--- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h
+++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h
@@ -1254,10 +1254,10 @@ tINQ_DB_ENT *btm_inq_db_new (BD_ADDR p_bda);

 #if BTM_OOB_INCLUDED == TRUE
 void  btm_rem_oob_req (UINT8 *p);
-void  btm_read_local_oob_complete (UINT8 *p);
+void  btm_read_local_oob_complete (UINT8 *p, UINT16 evt_len);
 #else
 #define btm_rem_oob_req(p)
-#define btm_read_local_oob_complete(p)
+#define btm_read_local_oob_complete(p, evt_len)
 #endif

 void  btm_acl_resubmit_page (void);
--- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c
+++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c
@@ -1170,7 +1170,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
 #endif // #if (CLASSIC_BT_INCLUDED == TRUE)
    case HCI_READ_LOCAL_OOB_DATA:
 #if BTM_OOB_INCLUDED == TRUE && SMP_INCLUDED == TRUE
-        btm_read_local_oob_complete(p);
+        btm_read_local_oob_complete(p, evt_len);
 #endif
        break;