Skip to content

bluetooth: fix adv data parsing for zero-length AD structures #456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
huangyulong3 merged 1 commit into from
Feb 11, 2026
Merged

bluetooth: fix adv data parsing for zero-length AD structures #456

huangyulong3 merged 1 commit into from
Feb 11, 2026

Conversation

@zhongzhijie1
Copy link
Contributor

@zhongzhijie1 zhongzhijie1 commented Feb 6, 2026

bug: v/85714

The previous implementation did not handle zero-length AD items (len == 0) and lacked sufficient boundary checks. As a result, padding bytes could be misinterpreted as valid AD elements, leading to construction of invalid bt_data entries with oversized data_len values.

This could further cause out-of-bounds memory access during advertising data processing in the host stack.

This change adds proper handling for zero-length AD items, validates item length and buffer boundaries, and enforces segment count limits to prevent invalid bt_data construction.

huangyulong3
huangyulong3 reviewed Feb 6, 2026
View reviewed changes
gzh-terry
gzh-terry previously approved these changes Feb 6, 2026
View reviewed changes
gzh-terry
gzh-terry reviewed Feb 9, 2026
View reviewed changes
Copy link
Contributor

@gzh-terry gzh-terry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove Change-Id

chengkai15
chengkai15 reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@chengkai15 chengkai15 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zhongzhijie1
bluetooth: fix adv data parsing for zero-length AD structures
d7f0b9c 
bug: v/85714

The previous implementation did not handle zero-length AD items (len == 0)
and lacked sufficient boundary checks. As a result, padding bytes could be
misinterpreted as valid AD elements, leading to construction of invalid
bt_data entries with oversized data_len values.

This could further cause out-of-bounds memory access during advertising data
processing in the host stack.

This change adds proper handling for zero-length AD items, validates item
length and buffer boundaries, and enforces segment count limits to prevent
invalid bt_data construction.

Signed-off-by: zhongzhijie1 <zhongzhijie1@xiaomi.com>
@huangyulong3 huangyulong3 merged commit 3556792 into open-vela:dev Feb 11, 2026
9 checks passed
@zhongzhijie1 zhongzhijie1 deleted the _sal_adv_fix branch February 11, 2026 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chengkai15 chengkai15 chengkai15 approved these changes

@gzh-terry gzh-terry gzh-terry approved these changes

@huangyulong3 huangyulong3 huangyulong3 approved these changes

@hyson710 hyson710 Awaiting requested review from hyson710 hyson710 is a code owner

@zhangyuan376 zhangyuan376 Awaiting requested review from zhangyuan376 zhangyuan376 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zhongzhijie1 @chengkai15 @gzh-terry @huangyulong3