This reworks L2CAP RX path to simplify flow and fix reassembly issues.
RX is now done in conn context instead of chan context. This allows to
save few bytes of memory per chan since RX data are now held per-conn
instead of per-chan.
The new code also fixes reassembly issue where we couldn't properly
reassemble L2CAP SDU if the first fragment was shorter than the L2CAP
header.
Security Issues Fixed:
1. Buffer Overflow Prevention (ble_store_nvs.c)
- Changed all sprintf() calls to snprintf() in get_nvs_key_string()
to prevent potential buffer overflow when generating NVS key strings
- Changed index parameter type from int8_t to int in ble_nvs_delete_value()
to handle values > 127 correctly
2. Bounds Checking (ble_store_nvs.c)
- Added bounds checking in populate_db_from_nvs() before each memcpy
operation to prevent buffer overflow when NVS contains more entries
than RAM arrays can hold (due to config mismatch or NVS corruption)
3. Array Index Validation (ble_store_nvs.c)
- Fixed potential array index -1 access in ble_nvs_restore_sec_keys()
by adding checks before accessing [num - 1] indices
- Fixed loop bounds to use actual populated count instead of max config value
4. NVS Data Size Validation (ble_store_nvs.c)
- Added get_expected_size_for_obj_type() helper function
- Added size validation in get_nvs_db_value() and get_nvs_peer_record()
to detect corrupted or version-mismatched NVS data before reading
5. Type Safety Fix (ble_store_config_conf.c)
- Fixed critical typo: && to & for ble_store_config_num_csfcs
- Added missing union members (csfc, ead) in ble_store_config_conf_export()
6. Thread Safety (ble_gattc_cache.c)
- Replaced static buffer with thread-local storage (__thread) in getKeyname()
- Changed sprintf() to snprintf() with explicit size limit
- Increased buffer size from 16 to 20 bytes for safety margin
ShenWeilong