diff options
| author | Ajay Kumar <ajayku@codeaurora.org> | 2014-03-12 19:29:27 +0530 |
|---|---|---|
| committer | Linux Build Service Account <lnxbuild@localhost> | 2015-10-06 03:21:41 -0600 |
| commit | 4dabb3ac32114f6f487d9bdffd71b305c2b2e5ff (patch) | |
| tree | 072bcfb99db05a72bf6a55452dada248d084e7c4 /stack/l2cap/l2c_main.c | |
| parent | 56f67474599820582a4a1fb560d549f2bccdb8cd (diff) | |
| download | android_system_bt-4dabb3ac32114f6f487d9bdffd71b305c2b2e5ff.tar.gz android_system_bt-4dabb3ac32114f6f487d9bdffd71b305c2b2e5ff.tar.bz2 android_system_bt-4dabb3ac32114f6f487d9bdffd71b305c2b2e5ff.zip | |
Handled invalid MTU Size in L2cap Process Commands
Use case: Execute the L2cap test suite on Codenomicon tool
(1)From tool Codenomicon Defensics 11 menu Utilities > Bluetooth Scan, paired Bluetooth between pc and phone.
(2)From Defensics 11 Settings ,choose paired phone Bluetooth to be Target Bluetooth device address in Basic configuration.
(3)Run the test case " Security - l2cap ".
(4)When run to the number 28, 29 test case,check the phone.BT turn off and turn on automatcially
Failure: BT crash observed due to invalid MTU packets from test tool
Root cause: L2cap is not validating packets in L2cap Process Commands
Fix: Fixed by sending reject cmd for invalid commands from tool
Change-Id: I8c503ab77d8fca3728a84c3457d8115e31ee3a13
Diffstat (limited to 'stack/l2cap/l2c_main.c')
| -rw-r--r-- | stack/l2cap/l2c_main.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c index 7791df254..bbadbea98 100644 --- a/stack/l2cap/l2c_main.c +++ b/stack/l2cap/l2c_main.c @@ -366,6 +366,12 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) STREAM_TO_UINT8 (id, p); STREAM_TO_UINT16 (cmd_len, p); + if(cmd_len > GKI_BUF2_SIZE) + { + L2CAP_TRACE_WARNING ("L2CAP - Invalid MTU Size"); + l2cu_send_peer_cmd_reject (p_lcb, L2CAP_CMD_REJ_MTU_EXCEEDED, id, 0, 0); + return; + } /* Check command length does not exceed packet length */ if ((p_next_cmd = p + cmd_len) > p_pkt_end) { @@ -501,7 +507,7 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) p_cfg_start = p; cfg_info.flush_to_present = cfg_info.mtu_present = cfg_info.qos_present = - cfg_info.fcr_present = cfg_info.fcs_present = FALSE; + cfg_info.fcr_present = cfg_info.fcs_present = FALSE; while (p < p_cfg_end) { @@ -711,7 +717,7 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) break; case L2CAP_CMD_ECHO_REQ: - l2cu_send_peer_echo_rsp (p_lcb, id, NULL, 0); + l2cu_send_peer_echo_rsp (p_lcb, id, p, cmd_len); break; case L2CAP_CMD_ECHO_RSP: |