diff options
author | Pavlin Radoslavov <pavlin@google.com> | 2018-08-09 13:07:48 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:39 +0000 |
commit | 6a3b685eeaf470e679af563e0277c1e15476d02a (patch) | |
tree | a145582fe1b44ae050e8f5fa0efad0cadcc63f66 | |
parent | aa1c0edaabb7d7f33177dc2de1877eaa30478ec2 (diff) | |
download | android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.gz android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.tar.bz2 android_system_bt-6a3b685eeaf470e679af563e0277c1e15476d02a.zip |
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
-rw-r--r-- | stack/avrc/avrc_api.c | 40 |
1 files changed, 34 insertions, 6 deletions
diff --git a/stack/avrc/avrc_api.c b/stack/avrc/avrc_api.c index c733fa959..caa6ab2ee 100644 --- a/stack/avrc/avrc_api.c +++ b/stack/avrc/avrc_api.c @@ -24,6 +24,8 @@ #include <assert.h> #include <string.h> +#include <log/log.h> + #include "gki.h" #include "avrc_api.h" #include "avrc_int.h" @@ -634,14 +636,22 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, AVRC_TRACE_DEBUG("layer_specific %x",p_pkt->layer_specific); if (p_pkt->layer_specific != AVCT_DATA_BROWSE) { + if (p_pkt->len < AVRC_AVC_HDR_SIZE) { - msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; - AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d", - handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); - msg.hdr.subunit_type = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; - msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK; - opcode = p_data[2]; + android_errorWriteLog(0x534e4554, "111803925"); + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", + __func__, p_pkt->len, AVRC_AVC_HDR_SIZE); + osi_free(p_pkt); + return; } + + msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; + AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d", + handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); + msg.hdr.subunit_type = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; + msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK; + opcode = p_data[2]; + AVRC_TRACE_DEBUG("opcode %d",opcode); if ( ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) || ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP)) ) @@ -672,6 +682,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, else { /* parse response */ + if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) + { + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", + __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN); + android_errorWriteLog(0x534e4554, "79883824"); + drop = true; + p_drop_msg = "UNIT_INFO_RSP too short"; + break; + } p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/ msg.unit.unit_type = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; msg.unit.unit = *p_data & AVRC_SUBID_MASK; @@ -703,6 +722,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, else { /* parse response */ + if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) + { + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", + __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN); + android_errorWriteLog(0x534e4554, "79883824"); + drop = true; + p_drop_msg = "SUB_UNIT_INFO_RSP too short"; + break; + } p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */ msg.sub.page = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK; xx = 0; |