Bluetooth: hci_ecc: Verify LE Generate DHKey command parameters

Reply with Invalid Parameters Command Status if incomplete command
was received.

 HCI Command: LE Generate DHKey (0x08|0x0026) plen 60
        invalid packet size
        f6 0f 79 a0 3c 4f 3e 90 40 66 6b 1d 93 64 af ed  ..y.<O>.@fk..d..
        03 ec b4 5f 29 cf 6d 26 42 02 61 b9 29 9a bf 0b  ..._).m&B.a.)...
        5e da 86 8b 3a ef aa e8 13 3d 87 de a7 dc 36 57  ^...:....=....6W
        25 89 56 43 e8 2a 73 56 62 60 fa 81              %.VC.*sVb`..
> HCI Event: Command Status (0x0f) plen 4
      LE Generate DHKey (0x08|0x0026) ncmd 1
        Status: Invalid HCI Command Parameters (0x12)

Change-Id: I9c4e798096023f0807e8d353ac3318e3d13dc6f7
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>

include/bluetooth/hci.h

@@ -104,6 +104,7 @@ static inline bool bt_addr_le_is_identity(const bt_addr_le_t *addr)
 #define BT_HCI_ERR_CMD_DISALLOWED               0x0c
 #define BT_HCI_ERR_INSUFFICIENT_RESOURCES       0x0d
 #define BT_HCI_ERR_UNSUPP_FEATURE_PARAMS_VAL    0x11
+#define BT_HCI_ERR_INVALID_PARAMS               0x12
 #define BT_HCI_ERR_REMOTE_USER_TERM_CONN        0x13
 #define BT_HCI_ERR_PAIRING_NOT_ALLOWED          0x18
 #define BT_HCI_ERR_UNSUPP_REMOTE_FEATURE        0x1a

subsys/bluetooth/host/hci_ecc.c

@@ -171,11 +171,16 @@ static void emulate_le_generate_dhkey(struct net_buf *buf)
 		uint32_t dhkey[8];
 	} ecc;
 
-	cmd = (void *)buf->data  + sizeof(struct bt_hci_cmd_hdr);
+	if (buf->len < sizeof(*cmd)) {
+		send_cmd_status(BT_HCI_OP_LE_GENERATE_DHKEY,
+				BT_HCI_ERR_INVALID_PARAMS);
+		return;
+	}
 
-	/* TODO verify cmd parameters? */
 	send_cmd_status(BT_HCI_OP_LE_GENERATE_DHKEY, 0);
 
+	cmd = (void *)buf->data  + sizeof(struct bt_hci_cmd_hdr);
+
 	memcpy(ecc.pk.x, cmd->key, 32);
 	memcpy(ecc.pk.y, &cmd->key[32], 32);