From 8974db5f9a9a243c0768338ff2b38ef9bd86a928 Mon Sep 17 00:00:00 2001
From: Diff-fusion <felix@buchmann.ruhr>
Date: Thu, 21 Nov 2024 17:54:37 +0100
Subject: [PATCH] Cordio BLE: Fix two integer overflows (CVE-2024-48982) (#386)

* Cordio BLE: Fix two integer overflows

* Cordio BLE: Fix sign in length check
---
 .../cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
index 11737ba6932..98a000fc743 100644
--- a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
+++ b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
@@ -2482,6 +2482,11 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
   uint8_t       cbackEvt = 0;
   hciEvtCback_t cback = hciCb.evtCback;
 
+  if (len < 3)
+  {
+    return;
+  }
+
   BSTREAM_TO_UINT8(numPkts, p);
   BSTREAM_TO_UINT16(opcode, p);
 
@@ -2695,7 +2700,7 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
     if (cbackEvt == HCI_UNHANDLED_CMD_CMPL_CBACK_EVT) {
       const uint8_t structSize = sizeof(hciUnhandledCmdCmplEvt_t) - 1 /* removing the fake 1-byte array */;
       const uint8_t remainingLen = len - 3 /* we already read opcode and numPkts */;
-      const uint8_t msgSize = structSize + remainingLen;
+      const uint16_t msgSize = structSize + remainingLen;
 
       pMsg = WsfBufAlloc(msgSize);
       if (pMsg != NULL) {