diff options
| author | Jakub Pawlowski <jpawlowski@google.com> | 2018-06-21 22:56:11 -0700 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-10-22 21:07:53 +0200 |
| commit | 334f1ad0deb38c4b865270c513e8228171fd5bcc (patch) | |
| tree | 73a93eae553e15f7e8d559f5201253d0593d593d | |
| parent | 254252341683ee2afe167de3c26f82001806d344 (diff) | |
| download | android_system_bt-334f1ad0deb38c4b865270c513e8228171fd5bcc.tar.gz android_system_bt-334f1ad0deb38c4b865270c513e8228171fd5bcc.tar.bz2 android_system_bt-334f1ad0deb38c4b865270c513e8228171fd5bcc.zip | |
Add packet length checks in l2cble_process_sig_cmd
Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)
| -rw-r--r-- | stack/l2cap/l2c_ble.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c index eca22548c..4bda1ead8 100644 --- a/stack/l2cap/l2c_ble.c +++ b/stack/l2cap/l2c_ble.c @@ -986,6 +986,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) p_pkt_end = p + pkt_len; + if (p + 4 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT8 (cmd_code, p); STREAM_TO_UINT8 (id, p); STREAM_TO_UINT16 (cmd_len, p); @@ -1010,6 +1016,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; case L2CAP_CMD_BLE_UPDATE_REQ: + if (p + 8 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */ STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */ STREAM_TO_UINT16 (latency, p); /* 0x0000 - 0x03E8 */ @@ -1055,6 +1067,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; #if (defined(LE_L2CAP_CFC_INCLUDED) && (LE_L2CAP_CFC_INCLUDED == TRUE)) case LE_L2CAP_CMD_CB_CONN_REQ: + if (p + 10 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT16 (le_cb_conn_req.le_psm, p); STREAM_TO_UINT16 (le_cb_conn_req.scid, p); STREAM_TO_UINT16 (le_cb_conn_req.mtu, p); @@ -1122,6 +1140,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; case LE_L2CAP_CMD_CB_CONN_RSP: /* Got Credit Based L2CAP Connect Rsp from peer device */ + if (p + 10 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT16 (le_cb_conn_rsp.dcid, p); STREAM_TO_UINT16 (le_cb_conn_rsp.mtu, p); STREAM_TO_UINT16 (le_cb_conn_rsp.mps, p); @@ -1167,6 +1191,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; case LE_L2CAP_CMD_CB_FLOW_CTRL: + if (p + 4 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT16 (rcid, p); STREAM_TO_UINT16 (credits, p); L2CAP_TRACE_DEBUG("LE-L2CAP: rcid 0x%4.4x credits 0x%4.4x", rcid, credits); @@ -1224,6 +1254,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; case L2CAP_CMD_DISC_RSP: + if (p + 4 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "80261585"); + L2CAP_TRACE_ERROR("invalid read"); + return; + } + STREAM_TO_UINT16 (rcid, p); STREAM_TO_UINT16 (lcid, p); |