diff options
author | Cheney Ni <cheneyni@google.com> | 2018-08-08 22:20:08 +0800 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:48 +0000 |
commit | 7b2ff70bdc55cf5ba5451c4e158a70d87c897c26 (patch) | |
tree | 631709951e7edd1c21310e368a6a2bbcc5515c0b | |
parent | 10de1343b6e3b65e913b8d9281b7bb5a32c841a3 (diff) | |
download | android_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.tar.gz android_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.tar.bz2 android_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.zip |
Checks the SMP length to fix OOB read
Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)
-rw-r--r-- | stack/smp/smp_act.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c index bcd96d12b..10ac5d393 100644 --- a/stack/smp/smp_act.c +++ b/stack/smp/smp_act.c @@ -959,8 +959,17 @@ void smp_br_select_next_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) { UINT8 *p = (UINT8 *)p_data; + UINT8 reason = SMP_INVALID_PARAMETERS; SMP_TRACE_DEBUG("%s", __func__); + + if (smp_command_has_invalid_parameters(p_cb)) + { + android_errorWriteLog(0x534e4554, "111937065"); + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); + return; + } + STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN); smp_key_distribution(p_cb, NULL); @@ -1004,14 +1013,23 @@ void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) } /******************************************************************************* -** Function smp_proc_enc_info +** Function smp_proc_id_info ** Description process identity information from peer device *******************************************************************************/ void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) { UINT8 *p = (UINT8 *)p_data; + UINT8 reason = SMP_INVALID_PARAMETERS; SMP_TRACE_DEBUG("%s", __func__); + + if (smp_command_has_invalid_parameters(p_cb)) + { + android_errorWriteLog(0x534e4554, "111937065"); + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); + return; + } + STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */ smp_key_distribution_by_transport(p_cb, NULL); } |