diff options
author | Pavlin Radoslavov <pavlin@google.com> | 2018-05-30 17:56:14 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-08-08 21:48:20 +0200 |
commit | 8dd65f3fc5779e6eb129647abdd2b11fcabf8f08 (patch) | |
tree | d22be61434fa0cf98d7f844661cfd79569113729 | |
parent | 5232ac1452a7c818c71b30345e138138538904f6 (diff) | |
download | android_system_bt-8dd65f3fc5779e6eb129647abdd2b11fcabf8f08.tar.gz android_system_bt-8dd65f3fc5779e6eb129647abdd2b11fcabf8f08.tar.bz2 android_system_bt-8dd65f3fc5779e6eb129647abdd2b11fcabf8f08.zip |
Add checks whether the AVDTP element data length is valid
Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
(cherry picked from commit ee30c88a8d49b30860d35b34a57c3037a4045678)
-rw-r--r-- | stack/avdt/avdt_msg.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c index 2a29c64c5..77a7c7dd9 100644 --- a/stack/avdt/avdt_msg.c +++ b/stack/avdt/avdt_msg.c @@ -26,6 +26,7 @@ * ******************************************************************************/ +#include <log/log.h> #include <string.h> #include "bt_types.h" #include "bt_target.h" @@ -671,6 +672,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e case AVDT_CAT_PROTECT: p_cfg->psc_mask &= ~AVDT_PSC_PROTECT; + if (p + elem_len > p_end) { + err = AVDT_ERR_LENGTH; + android_errorWriteLog(0x534e4554, "78288378"); + break; + } if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) { p_cfg->num_protect++; @@ -745,6 +751,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e { tmp = AVDT_CODEC_SIZE - 1; } + if (p + tmp > p_end) { + err = AVDT_ERR_LENGTH; + android_errorWriteLog(0x534e4554, "78288378"); + break; + } p_cfg->num_codec++; p_cfg->codec_info[0] = elem_len; memcpy(&p_cfg->codec_info[1], p, tmp); |