diff options
| author | Stanley Tng <stng@google.com> | 2018-04-05 09:54:13 -0700 |
|---|---|---|
| committer | MSe <mse1969@posteo.de> | 2018-06-08 18:53:17 +0200 |
| commit | 0909ead92cb31faf2bc8e162e67abed51f4bc3c5 (patch) | |
| tree | f63ebd07e0d89389fad34f7d78ffb76264557f47 | |
| parent | c30f6c6386201c0a1f1f503da249e5960f83d69a (diff) | |
| download | android_system_bt-0909ead92cb31faf2bc8e162e67abed51f4bc3c5.tar.gz android_system_bt-0909ead92cb31faf2bc8e162e67abed51f4bc3c5.tar.bz2 android_system_bt-0909ead92cb31faf2bc8e162e67abed51f4bc3c5.zip | |
DO NOT MERGE Handle bad packet length in gatts_process_read_req
Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.
Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)
(cherry picked from commit 16f4c21be5bd0ea1968eee8a0f00648b1e326253)
CVE-2018-9358
| -rw-r--r-- | stack/gatt/gatt_sr.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c index 494330c79..156e38c1c 100644 --- a/stack/gatt/gatt_sr.c +++ b/stack/gatt/gatt_sr.c @@ -22,6 +22,7 @@ * ******************************************************************************/ +#include <log/log.h> #include "bt_target.h" #include "bt_utils.h" @@ -349,6 +350,13 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U } #endif + if (len < sizeof(flag)) { + android_errorWriteLog(0x534e4554, "73172115"); + GATT_TRACE_ERROR("%s invalid length", __func__); + gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false); + return; + } + STREAM_TO_UINT8(flag, p); /* mask the flag */ @@ -1231,6 +1239,14 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8 UINT8 sec_flag, key_size, *p; UINT16 offset = 0, value_len = 0; + if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) { + /* Error: packet length is too short */ + GATT_TRACE_ERROR("%s: packet length=%d too short. min=%d", __func__, len, sizeof(UINT16)); + android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0); + gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false); + return; + } + UNUSED (len); if ((p_msg = (BT_HDR *)GKI_getbuf(buf_len)) == NULL) { |