diff options
author | Myles Watson <mylesgw@google.com> | 2018-01-11 14:20:26 -0800 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-03-30 14:34:14 +0200 |
commit | 9cbf5548726bdc284b529cb8a78c1a1e1a0103b3 (patch) | |
tree | 0dfb8db902be0a885502ed266db038b441af7c86 | |
parent | ae039ebf5c07a0c10fe86d883f50502c8a2cd3e1 (diff) | |
download | android_system_bt-9cbf5548726bdc284b529cb8a78c1a1e1a0103b3.tar.gz android_system_bt-9cbf5548726bdc284b529cb8a78c1a1e1a0103b3.tar.bz2 android_system_bt-9cbf5548726bdc284b529cb8a78c1a1e1a0103b3.zip |
BNEP: Check received frame type
Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e)
CVE-2017-13269
-rw-r--r-- | stack/bnep/bnep_main.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c index 9cc5922d4..73d3ec4db 100644 --- a/stack/bnep/bnep_main.c +++ b/stack/bnep/bnep_main.c @@ -486,6 +486,13 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) type = *p++; extension_present = type >> 7; type &= 0x7f; + if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) + { + BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type); + android_errorWriteLog(0x534e4554, "68818034"); + GKI_freebuf (p_buf); + return; + } if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) { BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d type: 0x%02x", p_buf->len, type); |