diff options
author | Hansong Zhang <hsz@google.com> | 2018-06-07 16:18:52 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:39 +0000 |
commit | 9aec9a237b8af2b5895385c188e36d662322edd3 (patch) | |
tree | 727cda1d5e37d33b5bcdb05b86b32d4239dc2f9b | |
parent | fa1d477e2bfc20f5067c34bbabb439f661ec8ba3 (diff) | |
download | android_system_bt-9aec9a237b8af2b5895385c188e36d662322edd3.tar.gz android_system_bt-9aec9a237b8af2b5895385c188e36d662322edd3.tar.bz2 android_system_bt-9aec9a237b8af2b5895385c188e36d662322edd3.zip |
Add bound check for rfc_parse_data
Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
-rw-r--r-- | stack/include/rfcdefs.h | 7 | ||||
-rw-r--r-- | stack/rfcomm/rfc_ts_frames.c | 14 |
2 files changed, 13 insertions, 8 deletions
diff --git a/stack/include/rfcdefs.h b/stack/include/rfcdefs.h index dcc37bc72..1c751f3f5 100644 --- a/stack/include/rfcdefs.h +++ b/stack/include/rfcdefs.h @@ -90,13 +90,6 @@ pf = (*p_data++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET;\ } -#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \ -{ \ - ea = (*p_data & RFCOMM_EA); \ - length = (*p_data++ >> RFCOMM_SHIFT_LENGTH1); \ - if (!ea) length += (*p_data++ << RFCOMM_SHIFT_LENGTH2); \ -} - #define RFCOMM_FRAME_IS_CMD(initiator, cr) \ (( (initiator) && !(cr)) || (!(initiator) && (cr))) diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c index c87cc2abd..c234430c8 100644 --- a/stack/rfcomm/rfc_ts_frames.c +++ b/stack/rfcomm/rfc_ts_frames.c @@ -602,7 +602,19 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf) return (RFC_EVENT_BAD_FRAME); } RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data); - RFCOMM_PARSE_LEN_FIELD (eal, len, p_data); + + eal = *(p_data)&RFCOMM_EA; + len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1; + if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) + { + len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); + } + else if (eal == 0) + { + RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len); + LOG_ERROR(LOG_TAG, "78288018"); + return RFC_EVENT_BAD_FRAME; + } p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */ p_buf->offset += (3 + !ead + !eal); |