system/bt
| リビジョン | 00ed14439bc86bb6b566ffa4a3bb56b30e09f4ae (tree) |
|---|---|
| 日時 | 2019-03-05 14:56:10 |
| 作者 | Stanley Tng <stng@goog...> |
| コミッター | Kevin F. Haggerty |
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)
stack/l2cap/l2c_fcr.c (diff)| @@ -871,7 +871,17 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
| 871 | 871 | |
| 872 | 872 | if (p_ccb->is_first_seg) |
| 873 | 873 | { |
| 874 | + if (p_buf->len < sizeof(sdu_length)) | |
| 875 | + { | |
| 876 | + L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.", | |
| 877 | + __func__, p_buf->len); | |
| 878 | + android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0); | |
| 879 | + /* Discard the buffer */ | |
| 880 | + osi_free(p_buf); | |
| 881 | + return; | |
| 882 | + } | |
| 874 | 883 | STREAM_TO_UINT16(sdu_length, p); |
| 884 | + | |
| 875 | 885 | /* Check the SDU Length with local MTU size */ |
| 876 | 886 | if (sdu_length > p_ccb->local_conn_cfg.mtu) |
| 877 | 887 | { |
| @@ -880,6 +890,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
| 880 | 890 | return; |
| 881 | 891 | } |
| 882 | 892 | |
| 893 | + p_buf->len -= sizeof(sdu_length); | |
| 894 | + p_buf->offset += sizeof(sdu_length); | |
| 895 | + | |
| 883 | 896 | if (sdu_length < p_buf->len) { |
| 884 | 897 | L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length); |
| 885 | 898 | android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0); |
| @@ -898,8 +911,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
| 898 | 911 | p_data->len = 0; |
| 899 | 912 | p_ccb->ble_sdu_length = sdu_length; |
| 900 | 913 | L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length); |
| 901 | - p_buf->len -= sizeof(sdu_length); | |
| 902 | - p_buf->offset += sizeof(sdu_length); | |
| 903 | 914 | p_data->offset = 0; |
| 904 | 915 | |
| 905 | 916 | } |
Fork