OSDN > Entwickler > natedogg > Kammer > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	c6f7f8671cbabc96a5c7a448a97d16f42818c42e (tree)
Zeit	2017-09-15 02:54:03
Autor	Pavlin Radoslavov <pavlin@goog...>
Commiter	Dan Pasanen

Log Message

Add missing packet length checks while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit 3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit f31afd3836184edccdfc8393dc4d168b0cfd912b)

Ändern Zusammenfassung

modified: stack/bnep/bnep_utils.c (diff)

Diff

--- a/stack/bnep/bnep_utils.c

+++ b/stack/bnep/bnep_utils.c

		@@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN p_bcb, UINT8 p_setup)
762	762	UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len, BOOLEAN is_ext)
763	763	{
764	764	UINT8 control_type;
765		- BOOLEAN bad_pkt = FALSE;
766	765	UINT16 len, ext_len = 0;
767	766
	767	+ if (p == NULL \|\| rem_len == NULL) {
	768	+ if (rem_len != NULL) *rem_len = 0;
	769	+ BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
	770	+ rem_len);
	771	+ return NULL;
	772	+ }
	773	+ UINT16 rem_len_orig = *rem_len;
	774	+
768	775	if (is_ext)
769	776	{
	777	+ if (*rem_len < 1) goto bad_packet_length;
770	778	ext_len = *p++;
771	779	rem_len = rem_len - 1;
772	780	}
773	781
	782	+ if (*rem_len < 1) goto bad_packet_length;
774	783	control_type = *p++;
775	784	rem_len = rem_len - 1;
776	785
777		- BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type);
	786	+ BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
	787	+ __func__, *rem_len, is_ext, control_type);
778	788
779	789	switch (control_type)
780	790	{
781	791	case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
782		- BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p);
	792	+ if (*rem_len < 1) {
	793	+ BNEP_TRACE_ERROR(
	794	+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
	795	+ __func__);
	796	+ goto bad_packet_length;
	797	+ }
	798	+ BNEP_TRACE_ERROR(
	799	+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
	800	+ __func__, *p);
783	801	p++;
784	802	rem_len = rem_len - 1;
785	803	break;
786	804
787	805	case BNEP_SETUP_CONNECTION_REQUEST_MSG:
788	806	len = *p++;
789		- if (rem_len < ((2 len) + 1))
790		- {
791		- bad_pkt = TRUE;
792		- BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length");
793		- break;
	807	+ if (rem_len < ((2 len) + 1)) {
	808	+ BNEP_TRACE_ERROR(
	809	+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
	810	+ __func__);
	811	+ goto bad_packet_length;
794	812	}
795	813	if (!is_ext)
796	814	bnep_process_setup_conn_req (p_bcb, p, (UINT8)len);

		@@ -799,6 +817,12 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
799	817	break;
800	818
801	819	case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
	820	+ if (*rem_len < 2) {
	821	+ BNEP_TRACE_ERROR(
	822	+ "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
	823	+ __func__);
	824	+ goto bad_packet_length;
	825	+ }
802	826	if (!is_ext)
803	827	bnep_process_setup_conn_responce (p_bcb, p);
804	828	p += 2;

		@@ -809,9 +833,10 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
809	833	BE_STREAM_TO_UINT16 (len, p);
810	834	if (*rem_len < (len + 2))
811	835	{
812		- bad_pkt = TRUE;
813		- BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length");
814		- break;
	836	+ BNEP_TRACE_ERROR(
	837	+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
	838	+ __func__);
	839	+ goto bad_packet_length;
815	840	}
816	841	bnepu_process_peer_filter_set (p_bcb, p, len);
817	842	p += len;

		@@ -819,6 +844,12 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
819	844	break;
820	845
821	846	case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
	847	+ if (*rem_len < 2) {
	848	+ BNEP_TRACE_ERROR(
	849	+ "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
	850	+ __func__);
	851	+ goto bad_packet_length;
	852	+ }
822	853	bnepu_process_peer_filter_rsp (p_bcb, p);
823	854	p += 2;
824	855	rem_len = rem_len - 2;

		@@ -828,9 +859,10 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
828	859	BE_STREAM_TO_UINT16 (len, p);
829	860	if (*rem_len < (len + 2))
830	861	{
831		- bad_pkt = TRUE;
832		- BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length");
833		- break;
	862	+ BNEP_TRACE_ERROR(
	863	+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
	864	+ __func__);
	865	+ goto bad_packet_length;
834	866	}
835	867	bnepu_process_peer_multicast_filter_set (p_bcb, p, len);
836	868	p += len;

		@@ -838,30 +870,38 @@ UINT8 bnep_process_control_packet (tBNEP_CONN p_bcb, UINT8 p, UINT16 rem_len
838	870	break;
839	871
840	872	case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
	873	+ if (*rem_len < 2) {
	874	+ BNEP_TRACE_ERROR(
	875	+ "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
	876	+ __func__);
	877	+ goto bad_packet_length;
	878	+ }
841	879	bnepu_process_multicast_filter_rsp (p_bcb, p);
842	880	p += 2;
843	881	rem_len = rem_len - 2;
844	882	break;
845	883
846	884	default :
847		- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type);
	885	+ BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
	886	+ control_type);
848	887	bnep_send_command_not_understood (p_bcb, control_type);
849	888	if (is_ext)
850	889	{
	890	+ if (*rem_len < (ext_len - 1)) {
	891	+ goto bad_packet_length;
	892	+ }
851	893	p += (ext_len - 1);
852	894	*rem_len -= (ext_len - 1);
853	895	}
854	896	break;
855	897	}
856		-
857		- if (bad_pkt)
858		- {
859		- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len);
860		- *rem_len = 0;
861		- return NULL;
862		- }
863		-
864	898	return p;
	899	+
	900	+bad_packet_length:
	901	+ BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
	902	+ __func__, rem_len_orig, *rem_len);
	903	+ *rem_len = 0;
	904	+ return NULL;
865	905	}
866	906
867	907

system-bt Fork