diff options
| author | Hansong Zhang <hsz@google.com> | 2018-08-08 11:31:28 -0700 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:39 +0000 |
| commit | fa1d477e2bfc20f5067c34bbabb439f661ec8ba3 (patch) | |
| tree | 956c009c0036e06bdfc98c26c585839d6949805a | |
| parent | a9fd8465015a0e0ff8572749b44d7795f8045020 (diff) | |
| download | android_system_bt-fa1d477e2bfc20f5067c34bbabb439f661ec8ba3.tar.gz android_system_bt-fa1d477e2bfc20f5067c34bbabb439f661ec8ba3.tar.bz2 android_system_bt-fa1d477e2bfc20f5067c34bbabb439f661ec8ba3.zip | |
Check remaining frame length in rfc_process_mx_message
Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
| -rw-r--r-- | stack/rfcomm/rfc_ts_frames.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c index 9e755ed4d..c87cc2abd 100644 --- a/stack/rfcomm/rfc_ts_frames.c +++ b/stack/rfcomm/rfc_ts_frames.c @@ -22,6 +22,9 @@ * ******************************************************************************/ +#define LOG_TAG "rfc_ts_frames" +#include "osi/include/log.h" + #include <stddef.h> #include "bt_target.h" #include "btcore/include/counter.h" @@ -714,6 +717,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) UINT8 ea, cr, mx_len; BOOLEAN is_command; + if (length < 2) + { + RFCOMM_TRACE_ERROR("%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", + __func__, length); + LOG_ERROR(LOG_TAG, "111937065"); + osi_free(p_buf); + return; + } p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); @@ -736,6 +747,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) if (!ea) { + if (length < 1) + { + RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1", + __func__, length); + LOG_ERROR(LOG_TAG, "111937065"); + osi_free(p_buf); + return; + } mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; length --; } @@ -812,6 +831,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) return; case RFCOMM_MX_MSC: + if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK && + length != RFCOMM_MX_MSC_LEN_NO_BREAK) + { + RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length); + LOG_ERROR(LOG_TAG, "111937065"); + osi_free(p_buf); + return; + } ea = *p_data & RFCOMM_EA; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; |