Cordio BLE: fix OOB read in event processing (mbed-ce#387)

Author: Diff-fusion

connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c

@@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
   while (i-- > 0)
   {
     ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
+    // discard event if it doesn't contain enough data
+    if (ptr >= p + len)
+    {
+        return;
+    }
     BSTREAM_TO_UINT8(dataLen, ptr);
     ptr += dataLen;
 
@@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
     }
   }
 
+  // finally check that the last report is fully contained within the event
+  if (ptr > p + len)
+  {
+      return;
+  }
+
   /* allocate temp buffer that can hold max length ext adv/scan rsp data */
   if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)
   {