Skip to content

Commit

Permalink
Merge branch 'bugfix/fix_blufi_crash_v5.4' into 'release/v5.4'
Browse files Browse the repository at this point in the history 
fix(blufi): Fixed crash issue during memcpy in example (v5.4)

See merge request espressif/esp-idf!36552
  • Loading branch information
@Isl2017
Isl2017 committed Jan 22, 2025
2 parents b05de81 + f77da0d commit 794d8bd
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
20 changes: 20 additions & 0 deletions examples/bluetooth/blufi/main/blufi_example_main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,26 +382,46 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
BLUFI_INFO("Recv STA BSSID %s\n", sta_config.sta.ssid);
break;
case ESP_BLUFI_EVENT_RECV_STA_SSID:
if (param->sta_ssid.ssid_len >= sizeof(sta_config.sta.ssid)/sizeof(sta_config.sta.ssid[0])) {
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
BLUFI_INFO("Invalid STA SSID\n");
break;
}
strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
BLUFI_INFO("Recv STA SSID %s\n", sta_config.sta.ssid);
break;
case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
if (param->sta_passwd.passwd_len >= sizeof(sta_config.sta.password)/sizeof(sta_config.sta.password[0])) {
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
BLUFI_INFO("Invalid STA PASSWORD\n");
break;
}
strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
sta_config.sta.password[param->sta_passwd.passwd_len] = '\0';
sta_config.sta.threshold.authmode = EXAMPLE_WIFI_SCAN_AUTH_MODE_THRESHOLD;
esp_wifi_set_config(WIFI_IF_STA, &sta_config);
BLUFI_INFO("Recv STA PASSWORD %s\n", sta_config.sta.password);
break;
case ESP_BLUFI_EVENT_RECV_SOFTAP_SSID:
if (param->softap_ssid.ssid_len >= sizeof(ap_config.ap.ssid)/sizeof(ap_config.ap.ssid[0])) {
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
BLUFI_INFO("Invalid SOFTAP SSID\n");
break;
}
strncpy((char *)ap_config.ap.ssid, (char *)param->softap_ssid.ssid, param->softap_ssid.ssid_len);
ap_config.ap.ssid[param->softap_ssid.ssid_len] = '\0';
ap_config.ap.ssid_len = param->softap_ssid.ssid_len;
esp_wifi_set_config(WIFI_IF_AP, &ap_config);
BLUFI_INFO("Recv SOFTAP SSID %s, ssid len %d\n", ap_config.ap.ssid, ap_config.ap.ssid_len);
break;
case ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD:
if (param->softap_passwd.passwd_len >= sizeof(ap_config.sta.ssid)/sizeof(ap_config.sta.ssid[0])) {
esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
BLUFI_INFO("Invalid SOFTAP PASSWD\n");
break;
}
strncpy((char *)ap_config.ap.password, (char *)param->softap_passwd.passwd, param->softap_passwd.passwd_len);
ap_config.ap.password[param->softap_passwd.passwd_len] = '\0';
esp_wifi_set_config(WIFI_IF_AP, &ap_config);
Expand Down
21 changes: 20 additions & 1 deletion examples/bluetooth/blufi/main/blufi_security.c
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
Expand Down Expand Up @@ -67,6 +67,12 @@ extern void btc_blufi_report_error(esp_blufi_error_state_t state);

void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free)
{
if (data == NULL || len < 3) {
BLUFI_ERROR("BLUFI Invalid data format");
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
return;
}

int ret;
uint8_t type = data[0];

Expand Down Expand Up @@ -96,6 +102,13 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
return;
}

if (len < (blufi_sec->dh_param_len + 1)) {
BLUFI_ERROR("%s, invalid dh param len\n", __func__);
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
return;
}

uint8_t *param = blufi_sec->dh_param;
memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len);
ret = mbedtls_dhm_read_params(&blufi_sec->dhm, &param, &param[blufi_sec->dh_param_len]);
Expand All @@ -108,6 +121,12 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
blufi_sec->dh_param = NULL;

const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm);

if (dhm_len > DH_SELF_PUB_KEY_LEN) {
BLUFI_ERROR("%s dhm len not support %d\n", __func__, dhm_len);
btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
}

ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, dhm_len, myrand, NULL);
if (ret) {
BLUFI_ERROR("%s make public failed %d\n", __func__, ret);
Expand Down

0 comments on commit 794d8bd

Please sign in to comment.