• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubybathyscaphegamephpguicwindows翻訳pythonomegattwitterframeworkbtronarduinovb.net計画中(planning stage)directxpreviewertestゲームエンジンdom

system/bt


Commit MetaInfo

Revisionc6f7f8671cbabc96a5c7a448a97d16f42818c42e (tree)
Zeit2017-09-15 02:54:03
AutorPavlin Radoslavov <pavlin@goog...>
CommiterDan Pasanen

Log Message

Add missing packet length checks while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)
(cherry picked from commit c68554feb3ddfd31cdec6d81a4b73a959c1b2a09)
(cherry picked from commit 3775b3c49e5d62349fd1f3dfb743fabadb43ea75)
(cherry picked from commit f31afd3836184edccdfc8393dc4d168b0cfd912b)

Ändern Zusammenfassung

Diff

--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup)
762762 UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext)
763763 {
764764 UINT8 control_type;
765- BOOLEAN bad_pkt = FALSE;
766765 UINT16 len, ext_len = 0;
767766
767+ if (p == NULL || rem_len == NULL) {
768+ if (rem_len != NULL) *rem_len = 0;
769+ BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
770+ rem_len);
771+ return NULL;
772+ }
773+ UINT16 rem_len_orig = *rem_len;
774+
768775 if (is_ext)
769776 {
777+ if (*rem_len < 1) goto bad_packet_length;
770778 ext_len = *p++;
771779 *rem_len = *rem_len - 1;
772780 }
773781
782+ if (*rem_len < 1) goto bad_packet_length;
774783 control_type = *p++;
775784 *rem_len = *rem_len - 1;
776785
777- BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type);
786+ BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
787+ __func__, *rem_len, is_ext, control_type);
778788
779789 switch (control_type)
780790 {
781791 case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
782- BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p);
792+ if (*rem_len < 1) {
793+ BNEP_TRACE_ERROR(
794+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
795+ __func__);
796+ goto bad_packet_length;
797+ }
798+ BNEP_TRACE_ERROR(
799+ "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
800+ __func__, *p);
783801 p++;
784802 *rem_len = *rem_len - 1;
785803 break;
786804
787805 case BNEP_SETUP_CONNECTION_REQUEST_MSG:
788806 len = *p++;
789- if (*rem_len < ((2 * len) + 1))
790- {
791- bad_pkt = TRUE;
792- BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length");
793- break;
807+ if (*rem_len < ((2 * len) + 1)) {
808+ BNEP_TRACE_ERROR(
809+ "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
810+ __func__);
811+ goto bad_packet_length;
794812 }
795813 if (!is_ext)
796814 bnep_process_setup_conn_req (p_bcb, p, (UINT8)len);
@@ -799,6 +817,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
799817 break;
800818
801819 case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
820+ if (*rem_len < 2) {
821+ BNEP_TRACE_ERROR(
822+ "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
823+ __func__);
824+ goto bad_packet_length;
825+ }
802826 if (!is_ext)
803827 bnep_process_setup_conn_responce (p_bcb, p);
804828 p += 2;
@@ -809,9 +833,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
809833 BE_STREAM_TO_UINT16 (len, p);
810834 if (*rem_len < (len + 2))
811835 {
812- bad_pkt = TRUE;
813- BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length");
814- break;
836+ BNEP_TRACE_ERROR(
837+ "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
838+ __func__);
839+ goto bad_packet_length;
815840 }
816841 bnepu_process_peer_filter_set (p_bcb, p, len);
817842 p += len;
@@ -819,6 +844,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
819844 break;
820845
821846 case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
847+ if (*rem_len < 2) {
848+ BNEP_TRACE_ERROR(
849+ "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
850+ __func__);
851+ goto bad_packet_length;
852+ }
822853 bnepu_process_peer_filter_rsp (p_bcb, p);
823854 p += 2;
824855 *rem_len = *rem_len - 2;
@@ -828,9 +859,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
828859 BE_STREAM_TO_UINT16 (len, p);
829860 if (*rem_len < (len + 2))
830861 {
831- bad_pkt = TRUE;
832- BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length");
833- break;
862+ BNEP_TRACE_ERROR(
863+ "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
864+ __func__);
865+ goto bad_packet_length;
834866 }
835867 bnepu_process_peer_multicast_filter_set (p_bcb, p, len);
836868 p += len;
@@ -838,30 +870,38 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
838870 break;
839871
840872 case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
873+ if (*rem_len < 2) {
874+ BNEP_TRACE_ERROR(
875+ "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
876+ __func__);
877+ goto bad_packet_length;
878+ }
841879 bnepu_process_multicast_filter_rsp (p_bcb, p);
842880 p += 2;
843881 *rem_len = *rem_len - 2;
844882 break;
845883
846884 default :
847- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type);
885+ BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
886+ control_type);
848887 bnep_send_command_not_understood (p_bcb, control_type);
849888 if (is_ext)
850889 {
890+ if (*rem_len < (ext_len - 1)) {
891+ goto bad_packet_length;
892+ }
851893 p += (ext_len - 1);
852894 *rem_len -= (ext_len - 1);
853895 }
854896 break;
855897 }
856-
857- if (bad_pkt)
858- {
859- BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len);
860- *rem_len = 0;
861- return NULL;
862- }
863-
864898 return p;
899+
900+bad_packet_length:
901+ BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
902+ __func__, rem_len_orig, *rem_len);
903+ *rem_len = 0;
904+ return NULL;
865905 }
866906
867907