diff options
| author | Myles Watson <mylesgw@google.com> | 2018-01-10 14:16:15 -0800 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-03-30 14:34:10 +0200 |
| commit | 30b7a8208b7be560ff0d86b6cde42fcc54a466f3 (patch) | |
| tree | 2e9da94ed7b1b75b9e3388d71c7fd189f5ed7da1 | |
| parent | 9760b8e61a48039c17748e8c63112c3213e5bf4a (diff) | |
| download | android_system_bt-30b7a8208b7be560ff0d86b6cde42fcc54a466f3.tar.gz android_system_bt-30b7a8208b7be560ff0d86b6cde42fcc54a466f3.tar.bz2 android_system_bt-30b7a8208b7be560ff0d86b6cde42fcc54a466f3.zip | |
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 3c7bd5a8453110a7bd1351648c5a4001b99afa70)
CVE-2017-13259
| -rw-r--r-- | stack/sdp/sdp_discovery.c | 53 |
1 files changed, 38 insertions, 15 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 6aee7af54..fe48af462 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -31,6 +31,7 @@ #include "l2cdefs.h" #include "hcidefs.h" #include "hcimsgs.h" +#include "log/log.h" #include "sdp_api.h" #include "sdpint.h" #include "btu.h" @@ -45,9 +46,12 @@ /* L O C A L F U N C T I O N P R O T O T Y P E S */ /********************************************************************************/ #if SDP_CLIENT_ENABLED == TRUE -static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); -static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); -static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply); +static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); +static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); +static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); static UINT8 *save_attr_seq (tCONN_CB *p_ccb, UINT8 *p, UINT8 *p_msg_end); static tSDP_DISC_REC *add_record (tSDP_DISCOVERY_DB *p_db, BD_ADDR p_bda); static UINT8 *add_attr (UINT8 *p, tSDP_DISCOVERY_DB *p_db, tSDP_DISC_REC *p_rec, @@ -203,7 +207,7 @@ void sdp_disc_connected (tCONN_CB *p_ccb) { p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR; - process_service_search_attr_rsp (p_ccb, NULL); + process_service_search_attr_rsp (p_ccb, NULL, NULL); } else { @@ -241,6 +245,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) /* Got a reply!! Check what we got back */ p = (UINT8 *)(p_msg + 1) + p_msg->offset; + UINT8 *p_end = (UINT8 *)(p_msg + 1) + p_msg->len; BE_STREAM_TO_UINT8 (rsp_pdu, p); @@ -251,7 +256,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) case SDP_PDU_SERVICE_SEARCH_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES) { - process_service_search_rsp (p_ccb, p); + process_service_search_rsp (p_ccb, p, p_end); invalid_pdu = FALSE; } break; @@ -259,7 +264,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) case SDP_PDU_SERVICE_ATTR_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR) { - process_service_attr_rsp (p_ccb, p); + process_service_attr_rsp (p_ccb, p, p_end); invalid_pdu = FALSE; } break; @@ -267,7 +272,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) case SDP_PDU_SERVICE_SEARCH_ATTR_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR) { - process_service_search_attr_rsp (p_ccb, p); + process_service_search_attr_rsp (p_ccb, p, p_end); invalid_pdu = FALSE; } break; @@ -290,7 +295,8 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) ** Returns void ** *******************************************************************************/ -static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) +static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, + UINT8 *p_reply_end) { UINT16 xx; UINT16 total, cur_handles, orig; @@ -327,6 +333,11 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) sdp_disconnect (p_ccb, SDP_INVALID_CONT_STATE); return; } + if (p_reply + cont_len > p_reply_end) { + android_errorWriteLog(0x534e4554, "68161546"); + sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); + return; + } /* stay in the same state */ sdp_snd_service_search_req(p_ccb, cont_len, p_reply); } @@ -336,7 +347,7 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) p_ccb->disc_state = SDP_DISC_WAIT_ATTR; /* Kick off the first attribute request */ - process_service_attr_rsp (p_ccb, NULL); + process_service_attr_rsp (p_ccb, NULL, NULL); } } @@ -404,7 +415,8 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) ** Returns void ** *******************************************************************************/ -static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) +static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, + UINT8 *p_reply_end) { UINT8 *p_start, *p_param_len; UINT16 param_len, list_byte_count; @@ -525,8 +537,13 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) /* Was this a continuation request ? */ if (cont_request_needed) { - memcpy (p, p_reply, *p_reply + 1); - p += *p_reply + 1; + if ((p_reply + *p_reply + 1) <= p_reply_end) + { + memcpy(p, p_reply, *p_reply + 1); + p += *p_reply + 1; + } + else + android_errorWriteLog(0x534e4554, "68161546"); } else UINT8_TO_BE_STREAM (p, 0); @@ -562,7 +579,8 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) ** Returns void ** *******************************************************************************/ -static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) +static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, + UINT8 *p_reply_end) { UINT8 *p, *p_start, *p_end, *p_param_len; UINT8 type; @@ -676,8 +694,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) /* No continuation for first request */ if (p_reply) { - memcpy (p, p_reply, *p_reply + 1); - p += *p_reply + 1; + if ((p_reply + *p_reply + 1) <= p_reply_end) + { + memcpy(p, p_reply, *p_reply + 1); + p += *p_reply + 1; + } + else + android_errorWriteLog(0x534e4554, "68161546"); } else UINT8_TO_BE_STREAM (p, 0); |