summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCheney Ni <cheneyni@google.com>2018-08-08 22:20:08 +0800
committerTim Schumacher <timschumi@gmx.de>2018-11-18 07:45:48 +0000
commit7b2ff70bdc55cf5ba5451c4e158a70d87c897c26 (patch)
tree631709951e7edd1c21310e368a6a2bbcc5515c0b
parent10de1343b6e3b65e913b8d9281b7bb5a32c841a3 (diff)
downloadandroid_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.tar.gz
android_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.tar.bz2
android_system_bt-7b2ff70bdc55cf5ba5451c4e158a70d87c897c26.zip
Checks the SMP length to fix OOB read
Bug: 111937065 Test: manual Change-Id: I330880a6e1671d0117845430db4076dfe1aba688 Merged-In: I330880a6e1671d0117845430db4076dfe1aba688 (cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)
Diffstat
-rw-r--r--stack/smp/smp_act.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index bcd96d12b..10ac5d393 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -959,8 +959,17 @@ void smp_br_select_next_key(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
{
UINT8 *p = (UINT8 *)p_data;
+ UINT8 reason = SMP_INVALID_PARAMETERS;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb))
+ {
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
smp_key_distribution(p_cb, NULL);
@@ -1004,14 +1013,23 @@ void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
}
/*******************************************************************************
-** Function smp_proc_enc_info
+** Function smp_proc_id_info
** Description process identity information from peer device
*******************************************************************************/
void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
{
UINT8 *p = (UINT8 *)p_data;
+ UINT8 reason = SMP_INVALID_PARAMETERS;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb))
+ {
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
smp_key_distribution_by_transport(p_cb, NULL);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 09:26:46 +0000