From f0352500b3e5c3aaecca17d03b1e07bb2e0ac973 Mon Sep 17 00:00:00 2001
From: Andrzej Kaczmarek <andrzej.kaczmarek@codecoup.pl>
Date: Mon, 7 Dec 2020 12:50:20 +0100
Subject: [PATCH] Bluetoth: controller: Fix memory corruption in RPA refresh

memcpy() could overwrite memory adjacent to "pdu" due to invalid
copy size.

Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@codecoup.pl>
---
 subsys/bluetooth/controller/ll_sw/ull_filter.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/subsys/bluetooth/controller/ll_sw/ull_filter.c b/subsys/bluetooth/controller/ll_sw/ull_filter.c
index f3fc5071a2..69446aae39 100644
--- a/subsys/bluetooth/controller/ll_sw/ull_filter.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_filter.c
@@ -974,7 +974,7 @@ static void rpa_adv_refresh(struct ll_adv_set *adv)
 	prev = lll_adv_data_peek(&adv->lll);
 	pdu = lll_adv_data_alloc(&adv->lll, &idx);
 
-	memcpy(pdu, prev, PDU_AC_LL_HEADER_SIZE + pdu->len);
+	memcpy(pdu, prev, PDU_AC_LL_HEADER_SIZE + prev->len);
 	ull_adv_pdu_update_addrs(adv, pdu);
 
 	lll_adv_data_enqueue(&adv->lll, idx);