Out-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values)
Description
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=4.4.0
Patches
Vulnerability mechanics
Root cause
"Missing bounds check on the indicator index before writing to `hf->ind_table[]` in `cind_handle_values()` allows an out-of-bounds write when the AG sends more than 20 `+CIND:` indicator tuples."
Attack vector
An attacker controlling a malicious, compromised, or spoofed Bluetooth Classic HFP Audio Gateway (AG) sends a syntactically valid but overlong `+CIND:` response during SLC setup after the HF sends `AT+CIND=?`. By including more than 20 indicator tuples, the attacker drives the parser's `index` beyond the bounds of the 20-element `ind_table[]` array. For each tuple whose name matches a known indicator in `ag_ind[]`, a small byte value (0–6) is written at the out-of-bounds offset. The attacker can first send 20 unknown-name tuples to advance `index` to 20 without writing, then send a known-name tuple (e.g., `"service"`) to write the first out-of-bounds byte, corrupting security-relevant fields and causing denial of service or protocol state corruption [ref_id=1]. No user interaction is required beyond the device connecting to the attacker's AG.
Affected code
The vulnerability resides in `subsys/bluetooth/host/classic/hfp_hf.c` in the `cind_handle_values()` function. During Service Level Connection (SLC) setup, `cind_handle()` iterates over each tuple in the AG's `+CIND:` response and calls `cind_handle_values()` with an incrementing `index` without verifying that `index` is less than `HF_MAX_AG_INDICATORS` (20). The write `hf->ind_table[index] = i` can therefore write past the 20-element `int8_t ind_table[]` array, corrupting adjacent struct fields such as `hf_ind`, `ag_ind`, `ind_enable`, `ag_sdp_version`, and `ag_sdp_features` [ref_id=1].
What the fix does
The patch adds a bounds check at the top of `cind_handle_values()`: `if (index >= ARRAY_SIZE(hf->ind_table))` followed by a warning log and an early return [patch_id=6467006]. This mirrors the existing bounds check already present in the sibling consumer handler `ag_indicator_handle_values()`, confirming the omission was unintentional [ref_id=1]. With this guard, any `+CIND:` response containing more than 20 indicator tuples will cause the parser to silently skip the out-of-bounds entries instead of writing past the array, preventing memory corruption.
Preconditions
- configThe target Zephyr build must have `CONFIG_BT_HFP_HF` enabled.
- networkThe attacker must be able to pair/connect as a Bluetooth Classic HFP Audio Gateway (AG) to the target device.
- inputThe attacker controls the content of the `+CIND:` response sent during SLC setup.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.