• R/O
  • HTTP
  • SSH
  • HTTPS

コミット

タグ
未設定

よく使われているワード(クリックで追加)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


コミットメタ情報

リビジョン153e2d50c1e8c52a27c3a954a77664d576b96b82 (tree)
日時2019-12-20 06:20:42
作者Jakub Pawlowski <jpawlowski@goog...>
コミッターMyles Watson

ログメッセージ

Fix potential OOB when parsing inquiry results

Bug: 141620271
Change-Id: I30c7558b1ae1a77d0004760ef831480347a06e11
(cherry picked from commit c44516749af81bc5fc79afc0772f42bf0ec37bd4)

変更サマリ

差分

--- a/stack/btm/btm_inq.cc
+++ b/stack/btm/btm_inq.cc
@@ -25,6 +25,7 @@
2525 *
2626 ******************************************************************************/
2727
28+#include <log/log.h>
2829 #include <stddef.h>
2930 #include <stdio.h>
3031 #include <stdlib.h>
@@ -1602,7 +1603,8 @@ static void btm_initiate_inquiry(tBTM_INQUIRY_VAR_ST* p_inq) {
16021603 * Returns void
16031604 *
16041605 ******************************************************************************/
1605-void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) {
1606+void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
1607+ uint8_t inq_res_mode) {
16061608 uint8_t num_resp, xx;
16071609 RawAddress bda;
16081610 tINQ_DB_ENT* p_i;
@@ -1631,10 +1633,29 @@ void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) {
16311633
16321634 STREAM_TO_UINT8(num_resp, p);
16331635
1634- if (inq_res_mode == BTM_INQ_RESULT_EXTENDED && (num_resp > 1)) {
1635- BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
1636- num_resp);
1637- return;
1636+ if (inq_res_mode == BTM_INQ_RESULT_EXTENDED) {
1637+ if (num_resp > 1) {
1638+ BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1",
1639+ num_resp);
1640+ return;
1641+ }
1642+
1643+ constexpr uint16_t extended_inquiry_result_size = 254;
1644+ if (hci_evt_len - 1 != extended_inquiry_result_size) {
1645+ android_errorWriteLog(0x534e4554, "141620271");
1646+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
1647+ num_resp, hci_evt_len);
1648+ return;
1649+ }
1650+ } else if (inq_res_mode == BTM_INQ_RESULT_STANDARD ||
1651+ inq_res_mode == BTM_INQ_RESULT_WITH_RSSI) {
1652+ constexpr uint16_t inquiry_result_size = 14;
1653+ if (hci_evt_len < num_resp * inquiry_result_size) {
1654+ android_errorWriteLog(0x534e4554, "141620271");
1655+ BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__,
1656+ num_resp, hci_evt_len);
1657+ return;
1658+ }
16381659 }
16391660
16401661 for (xx = 0; xx < num_resp; xx++) {
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -65,7 +65,8 @@ extern void btm_inq_remote_name_timer_timeout(void* data);
6565 /* Inquiry related functions */
6666 extern void btm_clr_inq_db(const RawAddress* p_bda);
6767 extern void btm_inq_db_init(void);
68-extern void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode);
68+extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len,
69+ uint8_t inq_res_mode);
6970 extern void btm_process_inq_complete(uint8_t status, uint8_t mode);
7071 extern void btm_process_cancel_complete(uint8_t status, uint8_t mode);
7172 extern void btm_event_filter_complete(uint8_t* p);
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -64,9 +64,10 @@ extern void smp_cancel_start_encryption_attempt();
6464 /* L O C A L F U N C T I O N P R O T O T Y P E S */
6565 /******************************************************************************/
6666 static void btu_hcif_inquiry_comp_evt(uint8_t* p);
67-static void btu_hcif_inquiry_result_evt(uint8_t* p);
68-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
69-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
67+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len);
68+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len);
69+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
70+ uint8_t hci_evt_len);
7071
7172 static void btu_hcif_connection_comp_evt(uint8_t* p);
7273 static void btu_hcif_connection_request_evt(uint8_t* p);
@@ -263,13 +264,13 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
263264 btu_hcif_inquiry_comp_evt(p);
264265 break;
265266 case HCI_INQUIRY_RESULT_EVT:
266- btu_hcif_inquiry_result_evt(p);
267+ btu_hcif_inquiry_result_evt(p, hci_evt_len);
267268 break;
268269 case HCI_INQUIRY_RSSI_RESULT_EVT:
269- btu_hcif_inquiry_rssi_result_evt(p);
270+ btu_hcif_inquiry_rssi_result_evt(p, hci_evt_len);
270271 break;
271272 case HCI_EXTENDED_INQUIRY_RESULT_EVT:
272- btu_hcif_extended_inquiry_result_evt(p);
273+ btu_hcif_extended_inquiry_result_evt(p, hci_evt_len);
273274 break;
274275 case HCI_CONNECTION_COMP_EVT:
275276 btu_hcif_connection_comp_evt(p);
@@ -948,9 +949,9 @@ static void btu_hcif_inquiry_comp_evt(uint8_t* p) {
948949 * Returns void
949950 *
950951 ******************************************************************************/
951-static void btu_hcif_inquiry_result_evt(uint8_t* p) {
952+static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len) {
952953 /* Store results in the cache */
953- btm_process_inq_results(p, BTM_INQ_RESULT_STANDARD);
954+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_STANDARD);
954955 }
955956
956957 /*******************************************************************************
@@ -962,9 +963,9 @@ static void btu_hcif_inquiry_result_evt(uint8_t* p) {
962963 * Returns void
963964 *
964965 ******************************************************************************/
965-static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) {
966+static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len) {
966967 /* Store results in the cache */
967- btm_process_inq_results(p, BTM_INQ_RESULT_WITH_RSSI);
968+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_WITH_RSSI);
968969 }
969970
970971 /*******************************************************************************
@@ -976,9 +977,10 @@ static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) {
976977 * Returns void
977978 *
978979 ******************************************************************************/
979-static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) {
980+static void btu_hcif_extended_inquiry_result_evt(uint8_t* p,
981+ uint8_t hci_evt_len) {
980982 /* Store results in the cache */
981- btm_process_inq_results(p, BTM_INQ_RESULT_EXTENDED);
983+ btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_EXTENDED);
982984 }
983985
984986 /*******************************************************************************