From 84f1ae3635bb8bb94be3c41f0ee6b8a290e301c0 Mon Sep 17 00:00:00 2001
From: Teufelchen1 <bennet.blischke@haw-hamburg.de>
Date: Tue, 1 Oct 2024 14:18:02 +0200
Subject: [PATCH] bluetil: Ensure advertisement length does not exceed pkt len

---
 sys/net/ble/bluetil/bluetil_ad/bluetil_ad.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sys/net/ble/bluetil/bluetil_ad/bluetil_ad.c b/sys/net/ble/bluetil/bluetil_ad/bluetil_ad.c
index ec716f020f..55d0b3378b 100644
--- a/sys/net/ble/bluetil/bluetil_ad/bluetil_ad.c
+++ b/sys/net/ble/bluetil/bluetil_ad/bluetil_ad.c
@@ -44,9 +44,13 @@ int bluetil_ad_find(const bluetil_ad_t *ad, uint8_t type,
 
     unsigned pos = 0;
 
-    while ((pos + POS_TYPE) < ad->pos) {
+    while ((pos + POS_DATA) < ad->pos) {
         uint8_t len = ad->buf[pos];
 
+        if (pos + len >= ad->pos) {
+            return BLUETIL_AD_NOMEM;
+        }
+
         if (ad->buf[pos + POS_TYPE] == type) {
             data->data = ad->buf + pos + POS_DATA;
             data->len = len - 1;           /* take away the type field */