Bluetooth: GATT: Check len of response before parsing response PDU

In function `parse_read_by_uuid()`, the response length is not checked
before parsing the response PDU. There is a potential issue that the
`len` will be underflowed if the `len` is less than the size of
`struct bt_att_data`.

Check the length before parsing the response PDU. If the length is less
then the size of `struct bt_att_data`, notify the upper layer with the
error `BT_ATT_ERR_INVALID_PDU` and stop the parsing.

Signed-off-by: Lyle Zhu <[email protected]>

Author: lylezhu2012

include/zephyr/bluetooth/gatt.h

@@ -1897,6 +1897,9 @@ struct bt_gatt_read_params;
  *  When reading using by_uuid, `params->start_handle` is the attribute handle
  *  for this `data` item.
  *
+ *  If the received data length is invalid, the callback will called with the
+ *  error @ref BT_ATT_ERR_INVALID_PDU.
+ *
  *  @param conn Connection object.
  *  @param err ATT error code.
  *  @param params Read parameters used.
@@ -2005,6 +2008,8 @@ struct bt_gatt_read_params {
  *  The Response comes in callback @p params->func. The callback is run from
  *  the context specified by 'config BT_RECV_CONTEXT'.
  *  @p params must remain valid until start of callback.
+ *  If the received data length is invalid, the callback @p params->func will
+ *  called with the error @ref BT_ATT_ERR_INVALID_PDU.
  *
  *  @param conn Connection object.
  *  @param params Read parameters.

subsys/bluetooth/host/gatt.c

@@ -4776,6 +4776,15 @@ static void parse_read_by_uuid(struct bt_conn *conn,
 		uint16_t handle;
 		uint16_t len;
 
+		len = MIN(rsp->len, length);
+		if (len < sizeof(struct bt_att_data)) {
+			LOG_WRN("Bad peer: ATT read-by-uuid rsp: invalid ATTR PDU len %u", len);
+			params->func(conn, BT_ATT_ERR_INVALID_PDU, params, NULL, 0);
+			return;
+		}
+
+		len -= sizeof(struct bt_att_data);
+
 		handle = sys_le16_to_cpu(data->handle);
 
 		/* Handle 0 is invalid */
@@ -4784,8 +4793,6 @@ static void parse_read_by_uuid(struct bt_conn *conn,
 			return;
 		}
 
-		len = rsp->len > length ? length - 2 : rsp->len - 2;
-
 		LOG_DBG("handle 0x%04x len %u value %u", handle, rsp->len, len);
 
 		if (!IN_RANGE(handle, req_start_handle, req_end_handle)) {