ble::AdvertisingDataParser::hasNext() bug

[ijessen]

Description

ble::AdvertisingDataParser fails on 31-byte payloads padded with one or two null terminating bytes.

AdvertisingDataParser::hasNext() performs a bounds check in determining if there's more data to process:

if (position >= data.size()) {
    return false;
}

However, AdvertisingDataParser::next() indexes further than this into the data span:

(ble::adv_data_type_t::type) data[position + TYPE_INDEX],
data.subspan(position + VALUE_INDEX, current_length() - (TYPE_SIZE))

As a result, when a full-length legacy advertising payload is padded with one or two null terminating bytes at the end, AdvertisingDataParser::hasNext() returns true even after all data has been consumed, and a subsequent call to AdvertisingDataParser::next() overruns the span when it attempts to read either the data type or value.

One fix is to fix the comparison against data.size() in AdvertisingDataParser::hasNext():

if (position + VALUE_INDEX >= data.size()) {
    return false;
}

Affects v15.2 (0f959db)

Issue request type

[ ] Question
[ ] Enhancement
[X ] Bug

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/MBOCUSTRIA-1192

[0xc0170]

@ARMmbed/mbed-os-pan is this issue still valid?

[paul-szczepanek-arm]

Actually, that looks like it doesn't handle zero sized AD structs, need to look into this. Looks like no one got the jira ticket assigned.

[paul-szczepanek-arm]

Will be fixed when this is merged:
#11216

[adbridge]

As #11216 was merged, this is now assumed to be fixed.