• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

Revision954bbdc172a1dc61b0ec55516b5dc19ccefb7da2 (tree)
Zeit2019-12-04 17:19:54
AutorAutomerger Merge Worker <android-build-automerger-merge-worker@syst...>
CommiterAutomerger Merge Worker

Log Message

Merge "Fix potential OOB write in btm_read_remote_ext_features_complete" into pi-dev am: 7f3b214ec9 am: 5f1bca6b9a

Change-Id: I4a2fda2ab7b244ec584452400393ad0c3fe2e386

Ändern Zusammenfassung

Diff

--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -1084,7 +1084,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
10841084 * Returns void
10851085 *
10861086 ******************************************************************************/
1087-void btm_read_remote_ext_features_complete(uint8_t* p) {
1087+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
10881088 tACL_CONN* p_acl_cb;
10891089 uint8_t page_num, max_page;
10901090 uint16_t handle;
@@ -1092,6 +1092,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
10921092
10931093 BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
10941094
1095+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
1096+ android_errorWriteLog(0x534e4554, "141552859");
1097+ BTM_TRACE_ERROR(
1098+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
1099+ evt_len);
1100+ return;
1101+ }
1102+
10951103 ++p;
10961104 STREAM_TO_UINT16(handle, p);
10971105 STREAM_TO_UINT8(page_num, p);
@@ -1111,6 +1119,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
11111119 return;
11121120 }
11131121
1122+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
1123+ android_errorWriteLog(0x534e4554, "141552859");
1124+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
1125+ page_num);
1126+ return;
1127+ }
1128+
1129+ if (page_num > max_page) {
1130+ BTM_TRACE_WARNING(
1131+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
1132+ "invalid", page_num, max_page);
1133+ }
1134+
11141135 p_acl_cb = &btm_cb.acl_db[acl_idx];
11151136
11161137 /* Copy the received features page */
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -119,7 +119,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void);
119119 extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
120120 tBT_TRANSPORT transport);
121121 extern void btm_read_remote_features_complete(uint8_t* p);
122-extern void btm_read_remote_ext_features_complete(uint8_t* p);
122+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
123123 extern void btm_read_remote_ext_features_failed(uint8_t status,
124124 uint16_t handle);
125125 extern void btm_read_remote_version_complete(uint8_t* p);
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -75,7 +75,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
7575 static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
7676 static void btu_hcif_encryption_change_evt(uint8_t* p);
7777 static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
78-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
78+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
79+ uint8_t evt_len);
7980 static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
8081 static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
8182 static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
@@ -295,7 +296,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
295296 btu_hcif_read_rmt_features_comp_evt(p);
296297 break;
297298 case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
298- btu_hcif_read_rmt_ext_features_comp_evt(p);
299+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
299300 break;
300301 case HCI_READ_RMT_VERSION_COMP_EVT:
301302 btu_hcif_read_rmt_version_comp_evt(p);
@@ -1211,7 +1212,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
12111212 * Returns void
12121213 *
12131214 ******************************************************************************/
1214-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
1215+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
1216+ uint8_t evt_len) {
12151217 uint8_t* p_cur = p;
12161218 uint8_t status;
12171219 uint16_t handle;
@@ -1219,7 +1221,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
12191221 STREAM_TO_UINT8(status, p_cur);
12201222
12211223 if (status == HCI_SUCCESS)
1222- btm_read_remote_ext_features_complete(p);
1224+ btm_read_remote_ext_features_complete(p, evt_len);
12231225 else {
12241226 STREAM_TO_UINT16(handle, p_cur);
12251227 btm_read_remote_ext_features_failed(status, handle);
--- a/stack/include/hcidefs.h
+++ b/stack/include/hcidefs.h
@@ -1323,6 +1323,8 @@ typedef struct {
13231323
13241324 #define HCI_FEATURE_BYTES_PER_PAGE 8
13251325
1326+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
1327+
13261328 #define HCI_FEATURES_KNOWN(x) \
13271329 (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)
13281330