Merge branch 'fix/blufi_example_mem_access_v5.4' into 'release/v5.4'

fix(ble/blufi): Fixed blufi example security issue (v5.4)

See merge request espressif/esp-idf!36164

components/bt/common/btc/profile/esp/blufi/blufi_prf.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state)
 
 void btc_blufi_recv_handler(uint8_t *data, int len)
 {
+    if (len < sizeof(struct blufi_hdr)) {
+        BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len);
+        btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+        return;
+    }
+
     struct blufi_hdr *hdr = (struct blufi_hdr *)data;
+
+    // Verify if the received data length matches the expected length based on the BLUFI protocol
+    int target_data_len;
+
+    if (BLUFI_FC_IS_CHECK(hdr->fc)) {
+        target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum
+    } else {
+        target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length)
+    }
+
+    if (len != target_data_len) {
+        BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len);
+        btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+        return;
+    }
+
     uint16_t checksum, checksum_pkt;
     int ret;
 

components/bt/host/bluedroid/Kconfig.in

@@ -1235,7 +1235,7 @@ config BT_BLE_50_FEATURES_SUPPORTED
 
 config BT_BLE_42_FEATURES_SUPPORTED
     bool "Enable BLE 4.2 features(please disable BLE 5.0 if enable BLE 4.2)"
-    depends on (BT_BLE_ENABLED && ((BT_CONTROLLER_ENABLED && SOC_BLE_SUPPORTED) || BT_CONTROLLER_DISABLED))
+    depends on (BT_BLE_ENABLED && ((BT_CONTROLLER_ENABLED && SOC_BLE_50_SUPPORTED) || BT_CONTROLLER_DISABLED))
     default n
     help
         This enables BLE 4.2 features.

components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h

@@ -1593,6 +1593,8 @@ typedef void (* esp_gap_ble_cb_t)(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_p
  *
  * @param[in]       callback: callback function
  *
+ * @note            Avoid performing time-consuming operations within the callback functions.
+ *
  * @return
  *                  - ESP_OK : success
  *                  - other  : failed

components/bt/host/bluedroid/api/include/api/esp_gattc_api.h

@@ -272,6 +272,8 @@ typedef void (* esp_gattc_cb_t)(esp_gattc_cb_event_t event, esp_gatt_if_t gattc_
  *
  * @param[in]      callback The pointer to the application callback function
  *
+ * @note            Avoid performing time-consuming operations within the callback functions.
+ *
  * @return
  *          - ESP_OK: Success
  *          - ESP_FAIL: Failure

components/bt/host/bluedroid/api/include/api/esp_gatts_api.h

@@ -283,6 +283,8 @@ typedef void (* esp_gatts_cb_t)(esp_gatts_cb_event_t event, esp_gatt_if_t gatts_
  *
  * @param[in] callback The pointer to the application callback function
  *
+ * @note            Avoid performing time-consuming operations within the callback functions.
+ *
  * @return
  *       - ESP_OK: Success
  *       - ESP_FAIL: Failure

components/bt/host/bluedroid/bta/dm/bta_dm_act.c

@@ -4972,7 +4972,9 @@ static UINT8 bta_dm_ble_smp_cback (tBTM_LE_EVT event, BD_ADDR bda, tBTM_LE_EVT_D
         if (p_data->complt.reason != 0) {
             sec_event.auth_cmpl.fail_reason = BTA_DM_AUTH_CONVERT_SMP_CODE(((UINT8)p_data->complt.reason));
             /* delete this device entry from Sec Dev DB */
-            bta_dm_remove_sec_dev_entry (bda);
+            APPL_TRACE_WARNING("%s remove bond,rsn %d, BDA:0x%02X%02X%02X%02X%02X%02X", __func__, sec_event.auth_cmpl.fail_reason,
+                            bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
+            bta_dm_remove_sec_dev_entry(bda);
         } else {
             sec_event.auth_cmpl.success = TRUE;
             if (!p_data->complt.smp_over_br) {

components/bt/host/bluedroid/btc/core/btc_dm.c

@@ -293,6 +293,9 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
             status = BT_STATUS_AUTH_REJECTED;
             break;
         default:
+            BTC_TRACE_WARNING ("%s, remove bond in flash bd_addr: %08x%04x", __func__,
+                                (p_auth_cmpl->bd_addr[0] << 24) + (p_auth_cmpl->bd_addr[1] << 16) + (p_auth_cmpl->bd_addr[2] << 8) + p_auth_cmpl->bd_addr[3],
+                                (p_auth_cmpl->bd_addr[4] << 8) + p_auth_cmpl->bd_addr[5]);
             btc_dm_remove_ble_bonding_keys();
             status =  BT_STATUS_FAIL;
             break;

examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c

@@ -493,15 +493,15 @@ void app_main(void)
         ESP_LOGE(GATTC_TAG, "%s enable bluetooth failed: %s", __func__, esp_err_to_name(ret));
         return;
     }
-
+    // Note: Avoid performing time-consuming operations within callback functions.
-    //register the  callback function to the gap module
+    // Register the callback function to the gap module
     ret = esp_ble_gap_register_callback(esp_gap_cb);
     if (ret){
         ESP_LOGE(GATTC_TAG, "%s gap register failed, error code = %x", __func__, ret);
         return;
     }
 
-    //register the callback function to the gattc module
+    // Register the callback function to the gattc module
     ret = esp_ble_gattc_register_callback(esp_gattc_cb);
     if(ret){
         ESP_LOGE(GATTC_TAG, "%s gattc register failed, error code = %x", __func__, ret);

examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c

@@ -725,7 +725,7 @@ void app_main(void)
         ESP_LOGE(GATTS_TAG, "%s enable bluetooth failed: %s", __func__, esp_err_to_name(ret));
         return;
     }
-
+    // Note: Avoid performing time-consuming operations within callback functions.
     ret = esp_ble_gatts_register_callback(gatts_event_handler);
     if (ret){
         ESP_LOGE(GATTS_TAG, "gatts register error, error code = %x", ret);