From af2886cbabca3246ba8b4c40d2813c36cde35f86 Mon Sep 17 00:00:00 2001
From: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Date: Tue, 19 Aug 2025 22:25:27 +0300
Subject: [PATCH] P2P2: Fix potential buffer overflow in PBMA parsing

Received cookie length wasn't checked resulting in a heap overflow with
an arbitrary data received in the frame if the contents was larger than
a fixed size buffer. Fix this by explicitly checking there buffer to be
sufficient large.

Fixes: 59299a8a7d59 ("P2P2: Add bootstrapping support with PD frames")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
---
 src/p2p/p2p_pd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c
index b0f893e7f..d9bff5a68 100644
--- a/src/p2p/p2p_pd.c
+++ b/src/p2p/p2p_pd.c
@@ -1694,6 +1694,12 @@ static void p2p_process_prov_disc_bootstrap_resp(struct p2p_data *p2p,
 			p2p_dbg(p2p, "Truncated PBMA");
 			return;
 		}
+
+		if (cookie_len > sizeof(dev->bootstrap_params->cookie)) {
+			p2p_dbg(p2p, "Too long PBMA cookie");
+			return;
+		}
+
 		cookie = pos;
 
 		dev->bootstrap_params =
-- 
2.47.3