Merge branch 'bugfix/fix_blufi_crash_v5.0' into 'release/v5.0'

fix(blufi): Fixed crash issue during memcpy in example (v5.0)

See merge request espressif/esp-idf!36548

examples/bluetooth/blufi/main/blufi_example_main.c

@@ -380,12 +380,22 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
         BLUFI_INFO("Recv STA BSSID %s\n", sta_config.sta.ssid);
         break;
 	case ESP_BLUFI_EVENT_RECV_STA_SSID:
+        if (param->sta_ssid.ssid_len >= sizeof(sta_config.sta.ssid)/sizeof(sta_config.sta.ssid[0])) {
+            esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
+            BLUFI_INFO("Invalid STA SSID\n");
+            break;
+        }
         strncpy((char *)sta_config.sta.ssid, (char *)param->sta_ssid.ssid, param->sta_ssid.ssid_len);
         sta_config.sta.ssid[param->sta_ssid.ssid_len] = '\0';
         esp_wifi_set_config(WIFI_IF_STA, &sta_config);
         BLUFI_INFO("Recv STA SSID %s\n", sta_config.sta.ssid);
         break;
 	case ESP_BLUFI_EVENT_RECV_STA_PASSWD:
+        if (param->sta_passwd.passwd_len >= sizeof(sta_config.sta.password)/sizeof(sta_config.sta.password[0])) {
+            esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
+            BLUFI_INFO("Invalid STA PASSWORD\n");
+            break;
+        }
         strncpy((char *)sta_config.sta.password, (char *)param->sta_passwd.passwd, param->sta_passwd.passwd_len);
         sta_config.sta.password[param->sta_passwd.passwd_len] = '\0';
         sta_config.sta.threshold.authmode = EXAMPLE_WIFI_SCAN_AUTH_MODE_THRESHOLD;
@@ -393,6 +403,11 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
         BLUFI_INFO("Recv STA PASSWORD %s\n", sta_config.sta.password);
         break;
 	case ESP_BLUFI_EVENT_RECV_SOFTAP_SSID:
+        if (param->softap_ssid.ssid_len >= sizeof(ap_config.ap.ssid)/sizeof(ap_config.ap.ssid[0])) {
+            esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
+            BLUFI_INFO("Invalid SOFTAP SSID\n");
+            break;
+        }
         strncpy((char *)ap_config.ap.ssid, (char *)param->softap_ssid.ssid, param->softap_ssid.ssid_len);
         ap_config.ap.ssid[param->softap_ssid.ssid_len] = '\0';
         ap_config.ap.ssid_len = param->softap_ssid.ssid_len;
@@ -400,6 +415,11 @@ static void example_event_callback(esp_blufi_cb_event_t event, esp_blufi_cb_para
         BLUFI_INFO("Recv SOFTAP SSID %s, ssid len %d\n", ap_config.ap.ssid, ap_config.ap.ssid_len);
         break;
 	case ESP_BLUFI_EVENT_RECV_SOFTAP_PASSWD:
+        if (param->softap_passwd.passwd_len >= sizeof(ap_config.ap.password)/sizeof(ap_config.ap.password[0])) {
+            esp_blufi_send_error_info(ESP_BLUFI_DATA_FORMAT_ERROR);
+            BLUFI_INFO("Invalid SOFTAP PASSWD\n");
+            break;
+        }
         strncpy((char *)ap_config.ap.password, (char *)param->softap_passwd.passwd, param->softap_passwd.passwd_len);
         ap_config.ap.password[param->softap_passwd.passwd_len] = '\0';
         esp_wifi_set_config(WIFI_IF_AP, &ap_config);

examples/bluetooth/blufi/main/blufi_security.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -39,10 +39,8 @@
 
 struct blufi_security {
 #define DH_SELF_PUB_KEY_LEN     128
-#define DH_SELF_PUB_KEY_BIT_LEN (DH_SELF_PUB_KEY_LEN * 8)
     uint8_t  self_public_key[DH_SELF_PUB_KEY_LEN];
 #define SHARE_KEY_LEN           128
-#define SHARE_KEY_BIT_LEN       (SHARE_KEY_LEN * 8)
     uint8_t  share_key[SHARE_KEY_LEN];
     size_t   share_len;
 #define PSK_LEN                 16
@@ -65,6 +63,12 @@ extern void btc_blufi_report_error(esp_blufi_error_state_t state);
 
 void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free)
 {
+    if (data == NULL || len < 3) {
+        BLUFI_ERROR("BLUFI Invalid data format");
+        btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
+        return;
+    }
+
     int ret;
     uint8_t type = data[0];
 
@@ -83,6 +87,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
         }
         blufi_sec->dh_param = (uint8_t *)malloc(blufi_sec->dh_param_len);
         if (blufi_sec->dh_param == NULL) {
+            blufi_sec->dh_param_len = 0;  /* Reset length to avoid using unallocated memory */
             btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR);
             BLUFI_ERROR("%s, malloc failed\n", __func__);
             return;
@@ -94,6 +99,13 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
             btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
             return;
         }
+
+        if (len < (blufi_sec->dh_param_len + 1)) {
+            BLUFI_ERROR("%s, invalid dh param len\n", __func__);
+            btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
+            return;
+        }
+
         uint8_t *param = blufi_sec->dh_param;
         memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len);
         ret = mbedtls_dhm_read_params(&blufi_sec->dhm, &param, &param[blufi_sec->dh_param_len]);
@@ -106,7 +118,14 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
         blufi_sec->dh_param = NULL;
 
         const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm);
-        ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, dhm_len, myrand, NULL);
+
+        if (dhm_len > DH_SELF_PUB_KEY_LEN) {
+            BLUFI_ERROR("%s dhm len not support %d\n", __func__, dhm_len);
+            btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR);
+            return;
+        }
+
+        ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, DH_SELF_PUB_KEY_LEN, myrand, NULL);
         if (ret) {
             BLUFI_ERROR("%s make public failed %d\n", __func__, ret);
             btc_blufi_report_error(ESP_BLUFI_MAKE_PUBLIC_ERROR);
@@ -115,7 +134,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
 
         ret = mbedtls_dhm_calc_secret( &blufi_sec->dhm,
                 blufi_sec->share_key,
-                SHARE_KEY_BIT_LEN,
+                SHARE_KEY_LEN,
                 &blufi_sec->share_len,
                 myrand, NULL);
         if (ret) {
@@ -132,7 +151,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da
             return;
         }
 
-        mbedtls_aes_setkey_enc(&blufi_sec->aes, blufi_sec->psk, 128);
+        mbedtls_aes_setkey_enc(&blufi_sec->aes, blufi_sec->psk, PSK_LEN * 8);
 
         /* alloc output data */
         *output_data = &blufi_sec->self_public_key[0];
@@ -156,6 +175,10 @@ int blufi_aes_encrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len)
     size_t iv_offset = 0;
     uint8_t iv0[16];
 
+    if (!blufi_sec) {
+        return -1;
+    }
+
     memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv));
     iv0[0] = iv8;   /* set iv8 as the iv0[0] */
 
@@ -173,6 +196,10 @@ int blufi_aes_decrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len)
     size_t iv_offset = 0;
     uint8_t iv0[16];
 
+    if (!blufi_sec) {
+        return -1;
+    }
+
     memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv));
     iv0[0] = iv8;   /* set iv8 as the iv0[0] */
 
@@ -202,7 +229,7 @@ esp_err_t blufi_security_init(void)
     mbedtls_dhm_init(&blufi_sec->dhm);
     mbedtls_aes_init(&blufi_sec->aes);
 
-    memset(blufi_sec->iv, 0x0, 16);
+    memset(blufi_sec->iv, 0x0, sizeof(blufi_sec->iv));
     return 0;
 }
 
@@ -221,5 +248,5 @@ void blufi_security_deinit(void)
     memset(blufi_sec, 0x0, sizeof(struct blufi_security));
 
     free(blufi_sec);
-    blufi_sec =  NULL;
+    blufi_sec = NULL;
 }