diff options
author | Jack He <siyuanh@google.com> | 2018-06-01 14:00:42 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-08-08 21:42:04 +0200 |
commit | b7ea5ae197085e2b985b86cb29f47b44e4e9f578 (patch) | |
tree | 70b85bc1ba98316c619e7a59ad6aad8ad7f17ea7 | |
parent | 06cca56e23f0ebcd95be47c3866f71d64ab34e07 (diff) | |
download | android_system_bt-b7ea5ae197085e2b985b86cb29f47b44e4e9f578.tar.gz android_system_bt-b7ea5ae197085e2b985b86cb29f47b44e4e9f578.tar.bz2 android_system_bt-b7ea5ae197085e2b985b86cb29f47b44e4e9f578.zip |
BNEP: Fix OOB access in bnep_data_ind
* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
is most likely triggered
Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
BNEP_EXTENSION_CONTROL packet
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0416340ffa61337dbaa2f6602ef85a1c32563ec2)
-rw-r--r-- | stack/bnep/bnep_main.c | 35 |
1 files changed, 26 insertions, 9 deletions
diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c index cb7a3c20d..0fb3e0e2f 100644 --- a/stack/bnep/bnep_main.c +++ b/stack/bnep/bnep_main.c @@ -468,6 +468,11 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) tBNEP_CONN *p_bcb; UINT8 *p = (UINT8 *)(p_buf + 1) + p_buf->offset; UINT16 rem_len = p_buf->len; + if (rem_len == 0) { + android_errorWriteLog(0x534e4554, "78286118"); + osi_free(p_buf); + return; + } UINT8 type, ctrl_type, ext_type = 0; BOOLEAN extension_present, fw_ext_present; UINT16 protocol = 0; @@ -520,22 +525,34 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) UINT16 org_len, new_len; /* parse the extension headers and process unknown control headers */ org_len = rem_len; - new_len = 0; do { - if (org_len < 2) break; + if (org_len < 2) { + android_errorWriteLog(0x534e4554, "67863755"); + break; + } ext = *p++; length = *p++; - p += length; new_len = (length + 2); - if (new_len > org_len) break; + if (new_len > org_len) { + android_errorWriteLog(0x534e4554, "67863755"); + break; + } + + if ((ext & 0x7F) == BNEP_EXTENSION_FILTER_CONTROL) { + if (length == 0) { + android_errorWriteLog(0x534e4554, "79164722"); + break; + } + if (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG) { + bnep_send_command_not_understood(p_bcb, *p); + } + } - if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) - bnep_send_command_not_understood (p_bcb, *p); + p += length; org_len -= new_len; } while (ext & 0x80); - android_errorWriteLog(0x534e4554, "67863755"); } GKI_freebuf (p_buf); @@ -589,14 +606,14 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf) { ext_type = *p++; rem_len--; - android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; /* if unknown extension present stop processing */ - if (ext_type) + if (ext_type != BNEP_EXTENSION_FILTER_CONTROL) break; + android_errorWriteLog(0x534e4554, "69271284"); p = bnep_process_control_packet (p_bcb, p, &rem_len, TRUE); } } |