Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Serialization of sd_ble_gap_device_name_get not correct

Hi

I've found an issue with the serialization code for the function sd_ble_gap_device_name_get in the SDK 14.1.0. As far as I see the issue still exists in the SDK15.0.0

The failure occurs if the passed buffer is smaller than the read name. According to the description of this softdevice function in this case as much data as possible is copied to the buffer and the length contains the full length of the name to allow the application to provide a larger buffer.

/**@brief Get GAP device name.
 *
 * @note  If the device name is longer than the size of the supplied buffer,
 *        p_len will return the complete device name length,
 *        and not the number of bytes actually returned in p_dev_name.
 *        The application may use this information to allocate a suitable buffer size.
 *
 * @param[out]    p_dev_name Pointer to an empty buffer where the UTF-8 <b>non NULL-terminated</b> string will be placed. Set to NULL to obtain the complete device name length.
 * @param[in,out] p_len      Length of the buffer pointed by p_dev_name, complete device name length on output.
 *
 * @retval ::NRF_SUCCESS GAP device name retrieved successfully.
 * @retval ::NRF_ERROR_INVALID_ADDR Invalid pointer supplied.
 * @retval ::NRF_ERROR_DATA_SIZE Invalid data size(s) supplied.
 */
SVCALL(SD_BLE_GAP_DEVICE_NAME_GET, uint32_t, sd_ble_gap_device_name_get(uint8_t *p_dev_name, uint16_t *p_len));

The problem is that the serialization version of this function writes the full name to the buffer even if the buffer is too small. In my case this buffer overflow overwrites the length of the advertising data as it is called in the name_encode function of the ble_advdata module.

Regards Adrian

Related