Bluetooth: GATT: Check len of response before parsing response PDU

lylezhu2012 · lylezhu2012 · commit 32ac77081155 · 2025-08-25T17:15:26.000+08:00
In function `parse_read_by_uuid()`, the response length is not checked
before parsing the response PDU. There is a potential issue that the
`len` will be underflowed if the `len` is less than the size of
`struct bt_att_data`.

Check the length before parsing the response PDU. If the length is less
then the size of `struct bt_att_data`, notify the upper layer with the
error `BT_ATT_ERR_INVALID_ATTRIBUTE_LEN` and stop the parsing.

Signed-off-by: Lyle Zhu &lt;lyle.zhu@nxp.com&gt;
diff --git a/include/zephyr/bluetooth/gatt.h b/include/zephyr/bluetooth/gatt.h
@@ -1994,10 +1994,12 @@ struct bt_gatt_read_params {
  *  the callback being called with @p data set to @c NULL.
  *
  *  Note that returning @ref BT_GATT_ITER_CONTINUE is really starting a new ATT
- *  operation, so this can fail to allocate resources. However, all API errors
- *  are reported as if the server returned @ref BT_ATT_ERR_UNLIKELY. There is no
- *  way to distinguish between this condition and a @ref BT_ATT_ERR_UNLIKELY
- *  response from the server itself.
+ *  operation, so this can fail to allocate resources. However, if the received
+ *  data length is invalid, the error @ref BT_ATT_ERR_INVALID_ATTRIBUTE_LEN
+ *  will be returned. For all other API errors are reported as if the server
+ *  returned @ref BT_ATT_ERR_UNLIKELY. There is no way to distinguish between
+ *  this condition and a @ref BT_ATT_ERR_UNLIKELY response from the server
+ *  itself.
  *
  *  Note that the effect of returning @ref BT_GATT_ITER_CONTINUE from the
  *  callback varies depending on the type of read operation.
diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c
@@ -4761,6 +4761,15 @@ static void parse_read_by_uuid(struct bt_conn *conn,
 		uint16_t handle;
 		uint16_t len;
 
+		len = MIN(rsp->len, length);
+		if (len < sizeof(struct bt_att_data)) {
+			LOG_WRN("Bad peer: ATT read-by-uuid rsp: invalid ATTR data len %u", len);
+			params->func(conn, BT_ATT_ERR_INVALID_ATTRIBUTE_LEN, params, NULL, 0);
+			return;
+		}
+
+		len -= sizeof(struct bt_att_data);
+
 		handle = sys_le16_to_cpu(data->handle);
 
 		/* Handle 0 is invalid */
@@ -4769,8 +4778,6 @@ static void parse_read_by_uuid(struct bt_conn *conn,
 			return;
 		}
 
-		len = rsp->len > length ? length - 2 : rsp->len - 2;
-
 		LOG_DBG("handle 0x%04x len %u value %u", handle, rsp->len, len);
 
 		if (!IN_RANGE(handle, req_start_handle, req_end_handle)) {
