Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before accessing the data. Bug: 111803925 Bug: 79883824 Test: POC scripts Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb (cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f) (cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
author: Pavlin Radoslavov <pavlin@google.com> 2018-08-09 13:07:48 -0700
committer: Tim Schumacher <timschumi@gmx.de> 2018-11-18 07:45:39 +0000
commit: 6a3b685eeaf470e679af563e0277c1e15476d02a (patch)
tree: a145582fe1b44ae050e8f5fa0efad0cadcc63f66
parent: aa1c0edaabb7d7f33177dc2de1877eaa30478ec2 (diff)
download: android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.gz
android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.bz2
android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.zip
1 files changed, 34 insertions, 6 deletions
diff --git a/stack/avrc/avrc_api.c b/stack/avrc/avrc_api.c
index c733fa959..caa6ab2ee 100644
--- a/stack/avrc/avrc_api.c
+++ b/stack/avrc/avrc_api.c
@@ -24,6 +24,8 @@
 #include <assert.h>
 #include <string.h>
 
+#include <log/log.h>
+
 #include "gki.h"
 #include "avrc_api.h"
 #include "avrc_int.h"
@@ -634,14 +636,22 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
     AVRC_TRACE_DEBUG("layer_specific %x",p_pkt->layer_specific);
     if (p_pkt->layer_specific != AVCT_DATA_BROWSE)
     {
+        if (p_pkt->len < AVRC_AVC_HDR_SIZE)
         {
-            msg.hdr.ctype           = p_data[0] & AVRC_CTYPE_MASK;
-            AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d",
-                    handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
-            msg.hdr.subunit_type    = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
-            msg.hdr.subunit_id      = p_data[1] & AVRC_SUBID_MASK;
-            opcode                  = p_data[2];
+            android_errorWriteLog(0x534e4554, "111803925");
+            AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                               __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+            osi_free(p_pkt);
+            return;
         }
+
+        msg.hdr.ctype           = p_data[0] & AVRC_CTYPE_MASK;
+        AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d",
+                 handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
+        msg.hdr.subunit_type    = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
+        msg.hdr.subunit_id      = p_data[1] & AVRC_SUBID_MASK;
+        opcode                  = p_data[2];
+
         AVRC_TRACE_DEBUG("opcode %d",opcode);
         if ( ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) ||
            ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP)) )
@@ -672,6 +682,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
                 else
                 {
                     /* parse response */
+                    if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN)
+                    {
+                        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                                           __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+                        android_errorWriteLog(0x534e4554, "79883824");
+                        drop = true;
+                        p_drop_msg = "UNIT_INFO_RSP too short";
+                        break;
+                    }
                     p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
                     msg.unit.unit_type  = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
                     msg.unit.unit       = *p_data & AVRC_SUBID_MASK;
@@ -703,6 +722,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
                 else
                 {
                     /* parse response */
+                    if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN)
+                    {
+                        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                                           __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+                        android_errorWriteLog(0x534e4554, "79883824");
+                        drop = true;
+                        p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+                        break;
+                    }
                     p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
                     msg.sub.page    = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
                     xx      = 0;
author	Pavlin Radoslavov <pavlin@google.com>	2018-08-09 13:07:48 -0700
committer	Tim Schumacher <timschumi@gmx.de>	2018-11-18 07:45:39 +0000
commit	6a3b685eeaf470e679af563e0277c1e15476d02a (patch)
tree	a145582fe1b44ae050e8f5fa0efad0cadcc63f66
parent	aa1c0edaabb7d7f33177dc2de1877eaa30478ec2 (diff)
download	android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.gz android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.bz2 android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.zip