From 3f6af80f1526894b810536377bc67ab144fd6798 Mon Sep 17 00:00:00 2001
From: Abdelkader Boudih <terminale@gmail.com>
Date: Sat, 30 Aug 2025 18:32:32 +0100
Subject: [PATCH] Fix buffer overflow in lua_write_to_repl()

Add bounds checking to prevent overflow when length > BLE_PREFERRED_MAX_MTU
---
 source/application/luaport.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source/application/luaport.c b/source/application/luaport.c
index e0d9ecfd..4bbe6c58 100644
--- a/source/application/luaport.c
+++ b/source/application/luaport.c
@@ -39,6 +39,13 @@ static volatile char repl_buffer[BLE_PREFERRED_MAX_MTU];
 
 void lua_write_to_repl(uint8_t *buffer, uint8_t length)
 {
+    // Bounds check to prevent buffer overflow (CVE-PENDING)
+    // Buffer size is BLE_PREFERRED_MAX_MTU (247), length can be 0-255
+    if (length >= BLE_PREFERRED_MAX_MTU)
+    {
+        length = BLE_PREFERRED_MAX_MTU - 1; // Reserve space for null terminator
+    }
+
     // Loop copy because memcpy isn't compatible with volatile
     for (size_t buffer_index = 0; buffer_index < length; buffer_index++)
     {