ble_mesh: stack: Bugfix for oversized SegN as valid

components/bt/esp_ble_mesh/mesh_core/prov.c

@@ -74,6 +74,7 @@
 
 #define START_PAYLOAD_MAX      20
 #define CONT_PAYLOAD_MAX       23
+#define START_LAST_SEG_MAX     2
 
 #define START_LAST_SEG(gpc)    (gpc >> 2)
 #define CONT_SEG_INDEX(gpc)    (gpc >> 2)
@@ -1563,6 +1564,12 @@ static void gen_prov_start(struct prov_rx *rx, struct net_buf_simple *buf)
         return;
     }
 
+    if (START_LAST_SEG(rx->gpc) > START_LAST_SEG_MAX) {
+        BT_ERR("Invalid SegN 0x%02x", START_LAST_SEG(rx->gpc));
+        prov_send_fail_msg(PROV_ERR_UNEXP_ERR);
+        return;
+    }
+
     if (link.rx.buf->len > link.rx.buf->size) {
         BT_ERR("Too large provisioning PDU (%u bytes)",
                 link.rx.buf->len);

components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c

@@ -74,6 +74,7 @@ _Static_assert(BLE_MESH_MAX_CONN >= CONFIG_BLE_MESH_PBG_SAME_TIME,
 
 #define START_PAYLOAD_MAX      20
 #define CONT_PAYLOAD_MAX       23
+#define START_LAST_SEG_MAX     2
 
 #define START_LAST_SEG(gpc)    (gpc >> 2)
 #define CONT_SEG_INDEX(gpc)    (gpc >> 2)
@@ -2980,6 +2981,12 @@ static void gen_prov_start(const uint8_t idx, struct prov_rx *rx, struct net_buf
         return;
     }
 
+    if (START_LAST_SEG(rx->gpc) > START_LAST_SEG_MAX) {
+        BT_ERR("Invalid SegN 0x%02x", START_LAST_SEG(rx->gpc));
+        close_link(idx, CLOSE_REASON_FAILED);
+        return;
+    }
+
     if (link[idx].rx.buf->len > link[idx].rx.buf->size) {
         BT_ERR("Too large provisioning PDU (%u bytes)",
                 link[idx].rx.buf->len);