diff options
author | Hansong Zhang <hsz@google.com> | 2018-01-10 13:43:25 -0800 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-03-30 14:34:09 +0200 |
commit | 9760b8e61a48039c17748e8c63112c3213e5bf4a (patch) | |
tree | 5234aa71e338e45de71434af4e4065d091603882 | |
parent | e47943ba97b187d38da3ac25c7bc0f2203d06eb5 (diff) | |
download | android_system_bt-9760b8e61a48039c17748e8c63112c3213e5bf4a.tar.gz android_system_bt-9760b8e61a48039c17748e8c63112c3213e5bf4a.tar.bz2 android_system_bt-9760b8e61a48039c17748e8c63112c3213e5bf4a.zip |
Fix unexpected behavior in reading BNEP packets
Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 9844ddac4c0aaf217326c56f2814d145c11eb042)
CVE-2017-13258, CVE-2017-13260, CVE-2017-13261, CVE-2017-13262
-rw-r--r-- | stack/bnep/bnep_main.c | 15 | ||||
-rw-r--r-- | stack/bnep/bnep_utils.c | 23 |
2 files changed, 32 insertions, 6 deletions
diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c index 34a6a0cc3..9cc5922d4 100644 --- a/stack/bnep/bnep_main.c +++ b/stack/bnep/bnep_main.c @@ -35,6 +35,7 @@ #include "l2c_api.h" #include "l2cdefs.h" +#include "log/log.h" #include "btu.h" #include "btm_api.h" @@ -514,20 +515,20 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) org_len = rem_len; new_len = 0; do { - + if (org_len < 2) break; ext = *p++; length = *p++; p += length; + new_len = (length + 2); + if (new_len > org_len) break; + if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood (p_bcb, *p); - new_len += (length + 2); - - if (new_len > org_len) - break; - + org_len -= new_len; } while (ext & 0x80); + android_errorWriteLog(0x534e4554, "67863755"); } GKI_freebuf (p_buf); @@ -580,6 +581,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) while (extension_present && p && rem_len) { ext_type = *p++; + rem_len--; + android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c index a0af6877a..1dcbb7d73 100644 --- a/stack/bnep/bnep_utils.c +++ b/stack/bnep/bnep_utils.c @@ -22,6 +22,8 @@ * ******************************************************************************/ +#include <cutils/log.h> + #include <stdio.h> #include <string.h> #include "gki.h" @@ -827,6 +829,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: + if (*rem_len < 1) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } len = *p++; if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( @@ -854,6 +863,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_NET_TYPE_SET_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { @@ -880,6 +896,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) { |