fix off-by-one length check in BluedroidGetChipDeviceInfo

[kali834x]

Summary

BluedroidGetChipDeviceInfo reads scan_rst.ble_adv[5] through scan_rst.ble_adv[14] after gating on adv_data_len > 13. The highest index it touches is ble_adv[14] (the AdditionalDataFlag byte of the 8-byte ChipBLEDeviceIdentificationInfo payload at offsets 7..14), which requires adv_data_len >= 15. With > 13 an advertisement carrying the Matter service UUID (0xf6 0xff at offset 5/6) and exactly 14 bytes passes the guard, so the parser reads one byte past the advertised data into AdditionalDataFlag. The advertising payload comes straight off the air, so the length is attacker controlled. This tightens the guard to > 14 so every indexed byte is within the advertised range.

Related issues

None.

Testing

Traced the indexed reads against the guard: the last byte accessed is ble_adv[14], so the minimum safe adv_data_len is 15. A conformant Matter advertisement (flags AD + 11-byte service-data AD = 15 bytes) is unaffected; only truncated/crafted 14-byte advertisements that previously slipped through are now rejected, matching the strict length checks used by the Linux and Darwin scanners.

[gemini-code-assist]

Code Review

This pull request updates the BluedroidGetChipDeviceInfo function in ChipDeviceScanner.cpp to increase the minimum required advertisement data length check (adv_data_len) from 13 to 14 bytes before parsing the CHIP Service UUID. There are no review comments, and I have no feedback to provide.

[github-actions]

PR #72652: Size comparison from 24e0342 to f809d40

Full report (35 builds for bl602, bl616, bl702, bl702l, cc13x4_26x4, cc32xx, efr32, esp32, nrfconnect, psoc6, qpg, realtek, stm32, telink)

platform	target	config	section	24e0342	f809d40	change	% change
bl602	lighting-app	bl602+mfd+littlefs+rpc	FLASH	1094778	1094778	0	0.0
			RAM	144882	144882	0	0.0
bl616	lighting-app	bl616+thread	FLASH	1106092	1106092	0	0.0
			RAM	104280	104280	0	0.0
		bl616+wifi+shell	FLASH	1593888	1593888	0	0.0
			RAM	98176	98176	0	0.0
bl702	lighting-app	bl702+eth	FLASH	1057752	1057752	0	0.0
			RAM	108525	108525	0	0.0
bl702l	contact-sensor-app	bl702l+mfd+littlefs	FLASH	896426	896426	0	0.0
			RAM	105908	105908	0	0.0
cc13x4_26x4	lighting-app	LP_EM_CC1354P10_6	FLASH	777288	777288	0	0.0
			RAM	103404	103404	0	0.0
	lock-ftd	LP_EM_CC1354P10_6	FLASH	790032	790032	0	0.0
			RAM	108684	108684	0	0.0
	pump-app	LP_EM_CC1354P10_6	FLASH	739280	739280	0	0.0
			RAM	97612	97612	0	0.0
	pump-controller-app	LP_EM_CC1354P10_6	FLASH	719452	719452	0	0.0
			RAM	97644	97644	0	0.0
cc32xx	air-purifier	CC3235SF_LAUNCHXL	FLASH	569582	569582	0	0.0
			RAM	205112	205112	0	0.0
	lock	CC3235SF_LAUNCHXL	FLASH	597134	597134	0	0.0
			RAM	205272	205272	0	0.0
efr32	lighting-app	BRD4187C	FLASH	1094828	1094828	0	0.0
			RAM	135256	135256	0	0.0
	lock-app	BRD4187C	FLASH	994752	994752	0	0.0
			RAM	131292	131292	0	0.0
		BRD4338a	FLASH	799713	799713	0	0.0
			RAM	243432	243432	0	0.0
esp32	all-clusters-app	c3devkit	DRAM	99884	99884	0	0.0
			FLASH	1624662	1624662	0	0.0
			IRAM	94776	94776	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	FLASH	835156	835156	0	0.0
			RAM	157704	157704	0	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	FLASH	1737908	1737908	0	0.0
			RAM	215420	215420	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	FLASH	1626452	1626452	0	0.0
			RAM	211604	211604	0	0.0
	light	cy8ckit_062s2_43012	FLASH	1470764	1470764	0	0.0
			RAM	197436	197436	0	0.0
	lock	cy8ckit_062s2_43012	FLASH	1504212	1504212	0	0.0
			RAM	225268	225268	0	0.0
qpg	lighting-app	qpg6200+debug	FLASH	843012	843012	0	0.0
			RAM	127908	127908	0	0.0
	lock-app	qpg6200+debug	FLASH	782896	782896	0	0.0
			RAM	118840	118840	0	0.0
realtek	light-switch-app	rtl8777g	FLASH	689248	689248	0	0.0
			RAM	101780	101780	0	0.0
	lighting-app	rtl8777g	FLASH	730192	730192	0	0.0
			RAM	102052	102052	0	0.0
stm32	light	STM32WB5MM-DK	FLASH	478900	478900	0	0.0
			RAM	141492	141492	0	0.0
telink	all-devices-app	tl7218x	FLASH	843418	843418	0	0.0
			RAM	99092	99092	0	0.0
		tlsr9118bdk40d	FLASH	634784	634784	0	0.0
			RAM	120224	120224	0	0.0
	bridge-app	tl7218x	FLASH	734038	734038	0	0.0
			RAM	97700	97700	0	0.0
	light-app-ota-compress-lzma-factory-data	tl3218x	FLASH	800568	800568	0	0.0
			RAM	42380	42380	0	0.0
	light-app-ota-compress-lzma-shell-factory-data	tl7218x	FLASH	845708	845708	0	0.0
			RAM	101492	101492	0	0.0
	light-switch-app-ota-compress-lzma-factory-data	tl7218x_retention	FLASH	734528	734528	0	0.0
			RAM	57816	57816	0	0.0
	light-switch-app-ota-compress-lzma-shell-factory-data	tlsr9528a	FLASH	795590	795590	0	0.0
			RAM	75176	75176	0	0.0
	light-switch-app-ota-factory-data	tl3218x_retention	FLASH	734444	734444	0	0.0
			RAM	34472	34472	0	0.0
	lighting-app-ota-factory-data	tlsr9118bdk40d	FLASH	615100	615100	0	0.0
			RAM	118508	118508	0	0.0
	lighting-app-ota-rpc-factory-data-4mb	tlsr9518adk80d	FLASH	841656	841660	4	0.0
			RAM	97376	97376	0	0.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.19%. Comparing base (24e0342) to head (f809d40).
⚠️ Report is 16 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #72652   +/-   ##
=======================================
  Coverage   56.19%   56.19%           
=======================================
  Files        1644     1644           
  Lines      113050   113050           
  Branches    13361    13361           
=======================================
  Hits        63529    63529           
  Misses      49521    49521           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request