Merge branch 'bugfix/ble_mesh_compile_error_o2' into 'master'

ble_mesh: Fix compile error when -O2 (performance) is chosen

Closes BLEMESH-187

See merge request espressif/esp-idf!8217

components/bt/esp_ble_mesh/api/core/esp_ble_mesh_local_data_operation_api.c

@@ -44,6 +44,9 @@ uint16_t *esp_ble_mesh_is_model_subscribed_to_group(esp_ble_mesh_model_t *model,
 
 esp_ble_mesh_elem_t *esp_ble_mesh_find_element(uint16_t element_addr)
 {
+    if (!ESP_BLE_MESH_ADDR_IS_UNICAST(element_addr)) {
+        return NULL;
+    }
     return btc_ble_mesh_elem_find(element_addr);
 }
 

components/bt/esp_ble_mesh/api/core/esp_ble_mesh_networking_api.c

@@ -268,7 +268,8 @@ esp_err_t esp_ble_mesh_provisioner_set_node_name(uint16_t index, const char *nam
 
     arg.set_node_name.index = index;
     memset(arg.set_node_name.name, 0, sizeof(arg.set_node_name.name));
-    memcpy(arg.set_node_name.name, name, strlen(name));
+    strncpy(arg.set_node_name.name, name, ESP_BLE_MESH_NODE_NAME_MAX_LEN);
+
     return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL)
             == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
 }

components/bt/esp_ble_mesh/api/core/esp_ble_mesh_provisioning_api.c

@@ -118,7 +118,7 @@ esp_err_t esp_ble_mesh_node_input_string(const char *string)
     btc_ble_mesh_prov_args_t arg = {0};
     btc_msg_t msg = {0};
 
-    if (!string) {
+    if (!string || strlen(string) > ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
         return ESP_ERR_INVALID_ARG;
     }
 
@@ -128,7 +128,8 @@ esp_err_t esp_ble_mesh_node_input_string(const char *string)
     msg.pid = BTC_PID_PROV;
     msg.act = BTC_BLE_MESH_ACT_INPUT_STRING;
     memset(arg.input_string.string, 0, sizeof(arg.input_string.string));
-    strncpy(arg.input_string.string, string, strlen(string));
+    strncpy(arg.input_string.string, string,
+        MIN(strlen(string), sizeof(arg.input_string.string)));
 
     return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL)
             == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
@@ -150,7 +151,8 @@ esp_err_t esp_ble_mesh_set_unprovisioned_device_name(const char *name)
     msg.act = BTC_BLE_MESH_ACT_SET_DEVICE_NAME;
 
     memset(arg.set_device_name.name, 0, sizeof(arg.set_device_name.name));
-    memcpy(arg.set_device_name.name, name, strlen(name));
+    strncpy(arg.set_device_name.name, name, ESP_BLE_MESH_DEVICE_NAME_MAX_LEN);
+
     return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL)
             == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
 }
@@ -185,7 +187,8 @@ esp_err_t esp_ble_mesh_provisioner_input_string(const char *string, uint8_t link
     btc_ble_mesh_prov_args_t arg = {0};
     btc_msg_t msg = {0};
 
-    if (!string || link_idx >= MAX_PROV_LINK_IDX) {
+    if (!string || strlen(string) > ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN ||
+        link_idx >= MAX_PROV_LINK_IDX) {
         return ESP_ERR_INVALID_ARG;
     }
 
@@ -196,7 +199,8 @@ esp_err_t esp_ble_mesh_provisioner_input_string(const char *string, uint8_t link
     msg.act = BTC_BLE_MESH_ACT_PROVISIONER_INPUT_STR;
 
     memset(arg.provisioner_input_str.string, 0, sizeof(arg.provisioner_input_str.string));
-    strncpy(arg.provisioner_input_str.string, string, strlen(string));
+    strncpy(arg.provisioner_input_str.string, string,
+        MIN(strlen(string), sizeof(arg.provisioner_input_str.string)));
     arg.provisioner_input_str.link_idx = link_idx;
 
     return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_mesh_prov_args_t), NULL)
@@ -350,6 +354,10 @@ esp_err_t esp_ble_mesh_provisioner_set_dev_uuid_match(const uint8_t *match_val,
     btc_ble_mesh_prov_args_t arg = {0};
     btc_msg_t msg = {0};
 
+    if (match_len + offset > ESP_BLE_MESH_OCTET16_LEN) {
+        return ESP_ERR_INVALID_ARG;
+    }
+
     ESP_BLE_HOST_STATUS_CHECK(ESP_BLE_HOST_STATUS_ENABLED);
 
     msg.sig = BTC_SIG_API_CALL;
@@ -446,7 +454,8 @@ esp_err_t esp_ble_mesh_set_fast_prov_info(esp_ble_mesh_fast_prov_info_t *fast_pr
     btc_ble_mesh_prov_args_t arg = {0};
     btc_msg_t msg = {0};
 
-    if (fast_prov_info == NULL) {
+    if (fast_prov_info == NULL || (fast_prov_info->offset +
+            fast_prov_info->match_len > ESP_BLE_MESH_OCTET16_LEN)) {
         return ESP_ERR_INVALID_ARG;
     }
 

components/bt/esp_ble_mesh/api/esp_ble_mesh_defs.h

@@ -242,6 +242,15 @@ typedef enum {
     ESP_BLE_MESH_PROV_OOB_ON_DEV    = BIT(15),
 } esp_ble_mesh_prov_oob_info_t;
 
+/*!< Maximum length of value used by Static OOB authentication */
+#define ESP_BLE_MESH_PROV_STATIC_OOB_MAX_LEN    16
+
+/*!< Maximum length of string used by Output OOB authentication */
+#define ESP_BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN    8
+
+/*!< Maximum length of string used by Output OOB authentication */
+#define ESP_BLE_MESH_PROV_INPUT_OOB_MAX_LEN     8
+
 /*!< Macros used to define message opcode */
 #define ESP_BLE_MESH_MODEL_OP_1(b0)         (b0)
 #define ESP_BLE_MESH_MODEL_OP_2(b0, b1)     (((b0) << 8) | (b1))
@@ -697,7 +706,7 @@ typedef struct {
     uint8_t  dev_key[16];   /*!< Node device key */
 
     /* Additional information */
-    char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN]; /*!< Node name */
+    char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN + 1]; /*!< Node name */
     uint16_t comp_length;  /*!< Length of Composition Data */
     uint8_t *comp_data;    /*!< Value of Composition Data */
 } __attribute__((packed)) esp_ble_mesh_node_t;

components/bt/esp_ble_mesh/btc/btc_ble_mesh_prov.c

@@ -560,7 +560,8 @@ static int btc_ble_mesh_output_string_cb(const char *str)
 
     BT_DBG("%s", __func__);
 
-    strncpy(mesh_param.node_prov_output_str.string, str, strlen(str));
+    strncpy(mesh_param.node_prov_output_str.string, str,
+        MIN(strlen(str), sizeof(mesh_param.node_prov_output_str.string)));
 
     ret = btc_ble_mesh_prov_callback(&mesh_param, ESP_BLE_MESH_NODE_PROV_OUTPUT_STRING_EVT);
     return (ret == BT_STATUS_SUCCESS) ? 0 : -1;

components/bt/esp_ble_mesh/btc/include/btc_ble_mesh_prov.h

@@ -103,7 +103,7 @@ typedef union {
         char string[8];
     } input_string;
     struct ble_mesh_set_device_name_args {
-        char name[ESP_BLE_MESH_DEVICE_NAME_MAX_LEN];
+        char name[ESP_BLE_MESH_DEVICE_NAME_MAX_LEN + 1];
     } set_device_name;
     struct ble_mesh_provisioner_read_oob_pub_key_args {
         uint8_t link_idx;
@@ -157,7 +157,7 @@ typedef union {
     } set_primary_elem_addr;
     struct ble_mesh_provisioner_set_node_name_args {
         uint16_t index;
-        char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN];
+        char name[ESP_BLE_MESH_NODE_NAME_MAX_LEN + 1];
     } set_node_name;
     struct ble_mesh_provisioner_add_local_app_key_args {
         uint8_t app_key[16];

components/bt/esp_ble_mesh/mesh_core/include/mesh_main.h

@@ -62,6 +62,10 @@ typedef enum {
     BLE_MESH_PROV_OOB_ON_DEV    = BIT(15),
 } bt_mesh_prov_oob_info_t;
 
+#define BLE_MESH_PROV_STATIC_OOB_MAX_LEN    16
+#define BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN    8
+#define BLE_MESH_PROV_INPUT_OOB_MAX_LEN     8
+
 /** Provisioning properties & capabilities. */
 struct bt_mesh_prov {
 #if CONFIG_BLE_MESH_NODE

components/bt/esp_ble_mesh/mesh_core/prov.c

@@ -1743,6 +1743,13 @@ int bt_mesh_prov_init(const struct bt_mesh_prov *prov_info)
         return -EINVAL;
     }
 
+    if (prov_info->static_val_len > BLE_MESH_PROV_STATIC_OOB_MAX_LEN ||
+        prov_info->output_size > BLE_MESH_PROV_OUTPUT_OOB_MAX_LEN ||
+        prov_info->input_size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
+        BT_ERR("%s, Invalid auth oob length", __func__);
+        return -EINVAL;
+    }
+
     /* Changed by Espressif. Use micro-ecc to generate public key now. */
     key = bt_mesh_pub_key_get();
     if (!key) {

components/bt/esp_ble_mesh/mesh_core/provisioner_main.c

@@ -490,6 +490,8 @@ int bt_mesh_provisioner_restore_node_name(u16_t addr, const char *name)
     }
 
     strncpy(node->name, name, BLE_MESH_NODE_NAME_SIZE);
+    node->name[BLE_MESH_NODE_NAME_SIZE] = 0;
+
     return 0;
 }
 
@@ -625,7 +627,7 @@ int bt_mesh_provisioner_set_node_name(u16_t index, const char *name)
         }
     }
 
-    memset(mesh_nodes[index]->name, 0, BLE_MESH_NODE_NAME_SIZE);
+    memset(mesh_nodes[index]->name, 0, sizeof(mesh_nodes[index]->name));
     strncpy(mesh_nodes[index]->name, name, length);
 
     if (IS_ENABLED(CONFIG_BLE_MESH_SETTINGS)) {

components/bt/esp_ble_mesh/mesh_core/provisioner_main.h

@@ -42,7 +42,7 @@ struct bt_mesh_node {
     u8_t  dev_key[16];  /* Node device key */
 
     /* Additional information */
-    char  name[BLE_MESH_NODE_NAME_SIZE]; /* Node name */
+    char  name[BLE_MESH_NODE_NAME_SIZE + 1]; /* Node name */
     u16_t comp_length;  /* Length of Composition Data */
     u8_t *comp_data;    /* Value of Composition Data */
 } __packed;

components/bt/esp_ble_mesh/mesh_core/provisioner_prov.c

@@ -2178,6 +2178,11 @@ int bt_mesh_provisioner_set_oob_output_data(const u8_t idx, const u8_t *num, u8_
      *  Parameter num_flag is used to indicate whether the value
      *  output by provisioner is number or string.
      */
+    if (num == NULL || size > BLE_MESH_PROV_INPUT_OOB_MAX_LEN) {
+        BT_ERR("%s, Invalid parameter", __func__);
+        return -EINVAL;
+    }
+
     if (!link[idx].auth) {
         BT_ERR("%s, link auth is NULL", __func__);
         return -EINVAL;

components/bt/esp_ble_mesh/mesh_core/proxy_client.c

@@ -660,6 +660,11 @@ void bt_mesh_proxy_client_adv_ind_recv(struct net_buf_simple *buf, const bt_mesh
 
     switch (type) {
     case BLE_MESH_PROXY_ADV_NET_ID: {
+        if (buf->len != sizeof(ctx.net_id.net_id)) {
+            BT_WARN("Malformed Network ID");
+            return;
+        }
+
         struct bt_mesh_subnet *sub = NULL;
         sub = bt_mesh_is_net_id_exist(buf->data);
         if (!sub) {

components/bt/esp_ble_mesh/mesh_core/proxy_server.c

@@ -109,7 +109,7 @@ static enum {
     MESH_GATT_PROXY,
 } gatt_svc = MESH_GATT_NONE;
 
-static char device_name[DEVICE_NAME_SIZE] = "ESP-BLE-MESH";
+static char device_name[DEVICE_NAME_SIZE + 1] = "ESP-BLE-MESH";
 
 int bt_mesh_set_device_name(const char *name)
 {
@@ -124,7 +124,7 @@ int bt_mesh_set_device_name(const char *name)
     }
 
     memset(device_name, 0x0, sizeof(device_name));
-    memcpy(device_name, name, strlen(name));
+    strncpy(device_name, name, DEVICE_NAME_SIZE);
 
     return bt_mesh_gatts_set_local_device_name(device_name);
 }

components/bt/esp_ble_mesh/mesh_core/settings.c

@@ -1081,7 +1081,7 @@ static int node_info_set(u16_t addr, bool *exist)
 
 static int node_name_set(u16_t addr)
 {
-    char name[BLE_MESH_NODE_NAME_SIZE] = {0};
+    char name[BLE_MESH_NODE_NAME_SIZE + 1] = {0};
     char get[16] = {'\0'};
     bool exist = false;
     int err = 0;
@@ -2513,7 +2513,7 @@ void bt_mesh_clear_node_info(u16_t unicast_addr)
 
 void bt_mesh_store_node_name(struct bt_mesh_node *node)
 {
-    char node_name[BLE_MESH_NODE_NAME_SIZE] = {0};
+    char node_name[BLE_MESH_NODE_NAME_SIZE + 1] = {0};
     char name[16] = {'\0'};
     int err = 0;
 
@@ -2522,7 +2522,7 @@ void bt_mesh_store_node_name(struct bt_mesh_node *node)
         return;
     }
 
-    strncpy(node_name, node->name, BLE_MESH_NODE_NAME_SIZE);
+    strncpy(node_name, node->name, BLE_MESH_NODE_NAME_SIZE + 1);
 
     sprintf(name, "mesh/pn/%04x/n", node->unicast_addr);
     err = bt_mesh_save_core_settings(name, (const u8_t *)node_name, BLE_MESH_NODE_NAME_SIZE);

examples/bluetooth/esp_ble_mesh/ble_mesh_fast_provision/ble_mesh_fast_prov_client/main/ble_mesh_demo_main.c

@@ -138,7 +138,7 @@ static void provisioner_prov_complete(int node_index, const uint8_t uuid[16], ui
                                       uint8_t elem_num, uint16_t net_idx)
 {
     example_node_info_t *node = NULL;
-    char name[10];
+    char name[11] = {0};
     esp_err_t err;
 
     ESP_LOGI(TAG, "Node index: 0x%x, unicast address: 0x%02x, element num: %d, netkey index: 0x%02x",

examples/bluetooth/esp_ble_mesh/ble_mesh_provisioner/main/ble_mesh_demo_main.c

@@ -191,7 +191,7 @@ static esp_err_t prov_complete(int node_idx, const esp_ble_mesh_octet16_t uuid,
     esp_ble_mesh_client_common_param_t common = {0};
     esp_ble_mesh_cfg_client_get_state_t get_state = {0};
     esp_ble_mesh_node_info_t *node = NULL;
-    char name[10];
+    char name[11] = {0};
     int err;
 
     ESP_LOGI(TAG, "node index: 0x%x, unicast address: 0x%02x, element num: %d, netkey index: 0x%02x",

examples/bluetooth/esp_ble_mesh/common_vendor_models/fast_prov_vendor_model/components/esp_fast_prov_server_model.c

@@ -139,7 +139,7 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
          * status_bit_mask (2) + status_ctx_flag (1) + status_unicast (1) + status_net_idx (1) +
          * status_group (1) + status_pri_prov (1) + status_match (1) + status_action (1).
          */
-        uint8_t match_len = 0, match_val[16];
+        uint8_t match_len = 0, match_val[16] = {0};
         uint8_t status_unicast = 0;
         uint8_t flags = 0;
 
@@ -186,6 +186,11 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
         uint16_t pri_prov_addr = (ctx_flags & BIT(7)) ? net_buf_simple_pull_le16(buf) : ESP_BLE_MESH_ADDR_UNASSIGNED;
         if (ctx_flags & BIT(8)) {
             match_len = buf->len - ((ctx_flags & BIT(9)) ? 1 : 0);
+            if (match_len > ESP_BLE_MESH_OCTET16_LEN) {
+                net_buf_simple_add_le16(msg, BIT(5));
+                net_buf_simple_add_u8(msg, 0x01);   /* too large match value length */
+                break;
+            }
             memcpy(match_val, buf->data, match_len);
             net_buf_simple_pull(buf, match_len);
         }
@@ -249,14 +254,6 @@ esp_err_t example_fast_prov_server_recv_msg(esp_ble_mesh_model_t *model,
             }
         }
 
-        if (ctx_flags & BIT(8)) {
-            if (match_len > 16) {
-                net_buf_simple_add_le16(msg, BIT(5));
-                net_buf_simple_add_u8(msg, 0x01);   /* too large match value length */
-                break;
-            }
-        }
-
         if (ctx_flags & BIT(9)) {
             if ((action & BIT_MASK(2)) != FAST_PROV_ACT_ENTER) {
                 net_buf_simple_add_le16(msg, BIT(6));