system/bt
Revision | c6f7f8671cbabc96a5c7a448a97d16f42818c42e (tree) |
---|---|
Zeit | 2017-09-15 02:54:03 |
Autor | Pavlin Radoslavov <pavlin@goog...> |
Commiter | Dan Pasanen |
Add missing packet length checks while parsing BNEP control packets
Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit 3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit f31afd3836184edccdfc8393dc4d168b0cfd912b)
@@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup) | ||
762 | 762 | UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) |
763 | 763 | { |
764 | 764 | UINT8 control_type; |
765 | - BOOLEAN bad_pkt = FALSE; | |
766 | 765 | UINT16 len, ext_len = 0; |
767 | 766 | |
767 | + if (p == NULL || rem_len == NULL) { | |
768 | + if (rem_len != NULL) *rem_len = 0; | |
769 | + BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p, | |
770 | + rem_len); | |
771 | + return NULL; | |
772 | + } | |
773 | + UINT16 rem_len_orig = *rem_len; | |
774 | + | |
768 | 775 | if (is_ext) |
769 | 776 | { |
777 | + if (*rem_len < 1) goto bad_packet_length; | |
770 | 778 | ext_len = *p++; |
771 | 779 | *rem_len = *rem_len - 1; |
772 | 780 | } |
773 | 781 | |
782 | + if (*rem_len < 1) goto bad_packet_length; | |
774 | 783 | control_type = *p++; |
775 | 784 | *rem_len = *rem_len - 1; |
776 | 785 | |
777 | - BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type); | |
786 | + BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", | |
787 | + __func__, *rem_len, is_ext, control_type); | |
778 | 788 | |
779 | 789 | switch (control_type) |
780 | 790 | { |
781 | 791 | case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: |
782 | - BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p); | |
792 | + if (*rem_len < 1) { | |
793 | + BNEP_TRACE_ERROR( | |
794 | + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length", | |
795 | + __func__); | |
796 | + goto bad_packet_length; | |
797 | + } | |
798 | + BNEP_TRACE_ERROR( | |
799 | + "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d", | |
800 | + __func__, *p); | |
783 | 801 | p++; |
784 | 802 | *rem_len = *rem_len - 1; |
785 | 803 | break; |
786 | 804 | |
787 | 805 | case BNEP_SETUP_CONNECTION_REQUEST_MSG: |
788 | 806 | len = *p++; |
789 | - if (*rem_len < ((2 * len) + 1)) | |
790 | - { | |
791 | - bad_pkt = TRUE; | |
792 | - BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length"); | |
793 | - break; | |
807 | + if (*rem_len < ((2 * len) + 1)) { | |
808 | + BNEP_TRACE_ERROR( | |
809 | + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", | |
810 | + __func__); | |
811 | + goto bad_packet_length; | |
794 | 812 | } |
795 | 813 | if (!is_ext) |
796 | 814 | bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); |
@@ -799,6 +817,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
799 | 817 | break; |
800 | 818 | |
801 | 819 | case BNEP_SETUP_CONNECTION_RESPONSE_MSG: |
820 | + if (*rem_len < 2) { | |
821 | + BNEP_TRACE_ERROR( | |
822 | + "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length", | |
823 | + __func__); | |
824 | + goto bad_packet_length; | |
825 | + } | |
802 | 826 | if (!is_ext) |
803 | 827 | bnep_process_setup_conn_responce (p_bcb, p); |
804 | 828 | p += 2; |
@@ -809,9 +833,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
809 | 833 | BE_STREAM_TO_UINT16 (len, p); |
810 | 834 | if (*rem_len < (len + 2)) |
811 | 835 | { |
812 | - bad_pkt = TRUE; | |
813 | - BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length"); | |
814 | - break; | |
836 | + BNEP_TRACE_ERROR( | |
837 | + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", | |
838 | + __func__); | |
839 | + goto bad_packet_length; | |
815 | 840 | } |
816 | 841 | bnepu_process_peer_filter_set (p_bcb, p, len); |
817 | 842 | p += len; |
@@ -819,6 +844,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
819 | 844 | break; |
820 | 845 | |
821 | 846 | case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: |
847 | + if (*rem_len < 2) { | |
848 | + BNEP_TRACE_ERROR( | |
849 | + "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length", | |
850 | + __func__); | |
851 | + goto bad_packet_length; | |
852 | + } | |
822 | 853 | bnepu_process_peer_filter_rsp (p_bcb, p); |
823 | 854 | p += 2; |
824 | 855 | *rem_len = *rem_len - 2; |
@@ -828,9 +859,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
828 | 859 | BE_STREAM_TO_UINT16 (len, p); |
829 | 860 | if (*rem_len < (len + 2)) |
830 | 861 | { |
831 | - bad_pkt = TRUE; | |
832 | - BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length"); | |
833 | - break; | |
862 | + BNEP_TRACE_ERROR( | |
863 | + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", | |
864 | + __func__); | |
865 | + goto bad_packet_length; | |
834 | 866 | } |
835 | 867 | bnepu_process_peer_multicast_filter_set (p_bcb, p, len); |
836 | 868 | p += len; |
@@ -838,30 +870,38 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len | ||
838 | 870 | break; |
839 | 871 | |
840 | 872 | case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: |
873 | + if (*rem_len < 2) { | |
874 | + BNEP_TRACE_ERROR( | |
875 | + "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length", | |
876 | + __func__); | |
877 | + goto bad_packet_length; | |
878 | + } | |
841 | 879 | bnepu_process_multicast_filter_rsp (p_bcb, p); |
842 | 880 | p += 2; |
843 | 881 | *rem_len = *rem_len - 2; |
844 | 882 | break; |
845 | 883 | |
846 | 884 | default : |
847 | - BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type); | |
885 | + BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__, | |
886 | + control_type); | |
848 | 887 | bnep_send_command_not_understood (p_bcb, control_type); |
849 | 888 | if (is_ext) |
850 | 889 | { |
890 | + if (*rem_len < (ext_len - 1)) { | |
891 | + goto bad_packet_length; | |
892 | + } | |
851 | 893 | p += (ext_len - 1); |
852 | 894 | *rem_len -= (ext_len - 1); |
853 | 895 | } |
854 | 896 | break; |
855 | 897 | } |
856 | - | |
857 | - if (bad_pkt) | |
858 | - { | |
859 | - BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len); | |
860 | - *rem_len = 0; | |
861 | - return NULL; | |
862 | - } | |
863 | - | |
864 | 898 | return p; |
899 | + | |
900 | +bad_packet_length: | |
901 | + BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d", | |
902 | + __func__, rem_len_orig, *rem_len); | |
903 | + *rem_len = 0; | |
904 | + return NULL; | |
865 | 905 | } |
866 | 906 | |
867 | 907 |