From 6d55e5e7bf90947d5f19599a48c22d9e9785566c Mon Sep 17 00:00:00 2001
From: zhanghaipeng <zhanghaipeng@espressif.com>
Date: Wed, 3 Jan 2024 18:05:48 +0800
Subject: [PATCH] fix(bt/bluedroid): Fix ble adv data check to avoid memory
 overflow

---
 components/bt/host/bluedroid/stack/btm/btm_ble_gap.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
index 6e01d6e586..fb27ba0f69 100644
--- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
+++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c
@@ -2090,7 +2090,7 @@ UINT8 *BTM_CheckAdvData( UINT8 *p_adv, UINT8 type, UINT8 *p_length)
 
     STREAM_TO_UINT8(length, p);
 
-    while ( length && (p - p_adv <= BTM_BLE_CACHE_ADV_DATA_MAX)) {
+    while ( length && (p - p_adv < BTM_BLE_CACHE_ADV_DATA_MAX)) {
         STREAM_TO_UINT8(adv_type, p);
 
         if ( adv_type == type ) {
@@ -2098,7 +2098,15 @@ UINT8 *BTM_CheckAdvData( UINT8 *p_adv, UINT8 type, UINT8 *p_length)
             *p_length = length - 1; /* minus the length of type */
             return p;
         }
+
         p += length - 1; /* skip the length of data */
+
+        /* Break loop if advertising data is in an incorrect format,
+           as it may lead to memory overflow */
+        if (p >= p_adv + BTM_BLE_CACHE_ADV_DATA_MAX) {
+            break;
+        }
+
         STREAM_TO_UINT8(length, p);
     }