From 223be0cd2ea10b6cde72c0a0f4d12c5476646b24 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@codecoup.pl>
Date: Mon, 23 Sep 2024 15:10:28 +0200
Subject: [PATCH] nimble/host: Validate advertising instance before parsing
 event

Advertising instance is used for indexing slave state array. Since
instance is provided by host invalid handle in event means there is
bug in controller.
---
 nimble/host/src/ble_hs_hci_evt.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nimble/host/src/ble_hs_hci_evt.c b/nimble/host/src/ble_hs_hci_evt.c
index 48012f3b47..3cb5f9858f 100644
--- a/nimble/host/src/ble_hs_hci_evt.c
+++ b/nimble/host/src/ble_hs_hci_evt.c
@@ -879,6 +879,13 @@ ble_hs_hci_evt_le_adv_set_terminated(uint8_t subevent, const void *data,
         return BLE_HS_ECONTROLLER;
     }
 
+    /* this indicates bug in controller as host uses instances from
+     * 0-BLE_ADV_INSTANCES range only
+     */
+    if (ev->adv_handle >= BLE_ADV_INSTANCES) {
+        return BLE_HS_ECONTROLLER;
+    }
+
     if (ev->status == 0) {
         /* ignore return code as we need to terminate advertising set anyway */
         ble_gap_rx_conn_complete(&pend_conn_complete, ev->adv_handle);
@@ -900,6 +907,13 @@ ble_hs_hci_evt_le_scan_req_rcvd(uint8_t subevent, const void *data,
         return BLE_HS_ECONTROLLER;
     }
 
+    /* this indicates bug in controller as host uses instances from
+     * 0-BLE_ADV_INSTANCES range only
+     */
+    if (ev->adv_handle >= BLE_ADV_INSTANCES) {
+        return BLE_HS_ECONTROLLER;
+    }
+
     ble_gap_rx_scan_req_rcvd(ev);
 #endif