From 2abe73635a27f9cbbbb7c5d9338331cc711a2cd2 Mon Sep 17 00:00:00 2001
From: Mark <liudongmiao@huawei.com>
Date: Thu, 13 Apr 2023 08:17:07 +0000
Subject: [PATCH] check ble broadcast info
 Signed-off-by:xdurainbow<liudongmiao@huawei.com>

Signed-off-by: Mark <liudongmiao@huawei.com>
---
 core/discovery/ble/softbus_ble/src/disc_ble.c | 31 +++++++++++++------
 .../ble/softbus_ble/src/disc_ble_utils.c      | 16 +++++-----
 2 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/core/discovery/ble/softbus_ble/src/disc_ble.c b/core/discovery/ble/softbus_ble/src/disc_ble.c
index d082440d98..5caef4a9ea 100644
--- a/core/discovery/ble/softbus_ble/src/disc_ble.c
+++ b/core/discovery/ble/softbus_ble/src/disc_ble.c
@@ -312,16 +312,27 @@ static int32_t ScanFilter(const SoftBusBleScanResult *scanResultData)
 {
     uint32_t advLen = scanResultData->advLen;
     uint8_t *advData = scanResultData->advData;
-    if (scanResultData->dataStatus != SOFTBUS_BLE_DATA_COMPLETE || advLen < (POS_TLV + ADV_HEAD_LEN)) {
-        return SOFTBUS_ERR;
-    }
-    if (advData[POS_UUID] != (uint8_t)(BLE_UUID & BYTE_MASK) ||
-        advData[POS_UUID + 1] != (uint8_t)((BLE_UUID >> BYTE_SHIFT_BIT) & BYTE_MASK)) {
-        return SOFTBUS_ERR;
-    }
-    if (advData[POS_VERSION + ADV_HEAD_LEN] != BLE_VERSION) {
-        return SOFTBUS_ERR;
-    }
+    DISC_CHECK_AND_RETURN_RET_LOG(scanResultData->dataStatus == SOFTBUS_BLE_DATA_COMPLETE, SOFTBUS_ERR,
+        "dataStatus[%u] is invalid", scanResultData->dataStatus);
+    DISC_CHECK_AND_RETURN_RET_LOG(advLen >= (POS_TLV + ADV_HEAD_LEN), SOFTBUS_ERR,
+        "advLen[%u] is too short, less than adv header length", advLen);
+
+    uint32_t broadcastAdvLen = advData[POS_PACKET_LENGTH];
+    DISC_CHECK_AND_RETURN_RET_LOG(advLen > (POS_PACKET_LENGTH + broadcastAdvLen + 1), SOFTBUS_ERR,
+        "advLen[%u] is too short, less than adv packet length", advLen);
+    uint32_t broadcastRspLen = advData[POS_PACKET_LENGTH + broadcastAdvLen + 1];
+    DISC_CHECK_AND_RETURN_RET_LOG(broadcastRspLen >= (RSP_HEAD_LEN - 1), SOFTBUS_ERR,
+        "broadcastRspLen[%u] is too short, less than rsp header length", broadcastRspLen);
+    DISC_CHECK_AND_RETURN_RET_LOG(advLen >= (POS_PACKET_LENGTH + broadcastAdvLen + 1 + broadcastRspLen + 1),
+        SOFTBUS_ERR, "advLen[%u] is too short, less than adv+rsp packet length", advLen);
+
+    DISC_CHECK_AND_RETURN_RET_LOG(advData[POS_UUID] == (uint8_t)(BLE_UUID & BYTE_MASK), SOFTBUS_ERR,
+        "uuid low byte[%hhu] is invalid", advData[POS_UUID]);
+    DISC_CHECK_AND_RETURN_RET_LOG(advData[POS_UUID + 1] == (uint8_t)((BLE_UUID >> BYTE_SHIFT_BIT) & BYTE_MASK),
+        SOFTBUS_ERR, "uuid high byte[%hhu] is invalid", advData[POS_UUID + 1]);
+    DISC_CHECK_AND_RETURN_RET_LOG(advData[POS_VERSION + ADV_HEAD_LEN] == BLE_VERSION, SOFTBUS_ERR,
+        "adv version[%hhu] is invalid", advData[POS_VERSION + ADV_HEAD_LEN]);
+
     if (!CheckScanner()) {
         DLOGI("no need to scan");
         (void)StopScaner();
diff --git a/core/discovery/ble/softbus_ble/src/disc_ble_utils.c b/core/discovery/ble/softbus_ble/src/disc_ble_utils.c
index 72502220cd..dac72acf61 100644
--- a/core/discovery/ble/softbus_ble/src/disc_ble_utils.c
+++ b/core/discovery/ble/softbus_ble/src/disc_ble_utils.c
@@ -256,10 +256,9 @@ static int32_t ParseRecvTlvs(DeviceWrapper *device, const uint8_t *data, uint32_
 
 NO_SANITIZE("cfi") int32_t GetDeviceInfoFromDisAdvData(DeviceWrapper *device, const uint8_t *data, uint32_t dataLen)
 {
-    if (dataLen == 0) {
-        DLOGE("dataLen is invalid");
-        return SOFTBUS_INVALID_PARAM;
-    }
+    DISC_CHECK_AND_RETURN_RET_LOG(device != NULL && device->info != NULL, SOFTBUS_INVALID_PARAM, "device is invalid");
+    DISC_CHECK_AND_RETURN_RET_LOG(data != NULL, SOFTBUS_INVALID_PARAM, "data=NULL is invalid");
+    DISC_CHECK_AND_RETURN_RET_LOG(dataLen != 0, SOFTBUS_INVALID_PARAM, "dataLen=0 is invalid");
     if (memcpy_s(device->info->accountHash, SHORT_USER_ID_HASH_LEN,
         &data[POS_USER_ID_HASH + ADV_HEAD_LEN], SHORT_USER_ID_HASH_LEN) != EOK) {
         DLOGE("copy accountHash failed");
@@ -278,7 +277,9 @@ NO_SANITIZE("cfi") int32_t GetDeviceInfoFromDisAdvData(DeviceWrapper *device, co
     while (nextAdsPtr + 1 < dataLen) {
         if (data[nextAdsPtr + 1] == RSP_TYPE) {
             scanRspPtr = nextAdsPtr;
-            scanRspTlvLen = data[scanRspPtr] - RSP_HEAD_LEN + 1;
+            DISC_CHECK_AND_RETURN_RET_LOG(data[scanRspPtr] >= (RSP_HEAD_LEN - 1), SOFTBUS_ERR,
+                "rspLen[%hhu] is less than rsp head length", data[scanRspPtr]);
+            scanRspTlvLen = data[scanRspPtr] - (RSP_HEAD_LEN - 1);
             break;
         }
         nextAdsPtr += data[nextAdsPtr] + 1;
@@ -286,10 +287,7 @@ NO_SANITIZE("cfi") int32_t GetDeviceInfoFromDisAdvData(DeviceWrapper *device, co
 
     uint32_t advLen = FLAG_BYTE_LEN + 1 + data[POS_PACKET_LENGTH] + 1;
     uint8_t *copyData = SoftBusCalloc(advLen + scanRspTlvLen);
-    if (copyData == NULL) {
-        DLOGE("malloc failed.");
-        return SOFTBUS_MEM_ERR;
-    }
+    DISC_CHECK_AND_RETURN_RET_LOG(copyData != NULL, SOFTBUS_MEM_ERR, "malloc failed.");
     if (memcpy_s(copyData, advLen, data, advLen) != EOK) {
         DLOGE("memcpy_s adv failed, advLen: %u", advLen);
         SoftBusFree(copyData);
-- 
Gitee