system/bt
| リビジョン | 2aa92f871c2f2ea2181b74b49bf152f2606fb7c5 (tree) |
|---|---|
| 日時 | 2019-11-27 06:37:36 |
| 作者 | Ted Wang <tedwang@goog...> |
| コミッター | Jakub Pawlowski |
Fix potential OOB write in btm_read_remote_ext_features_complete
Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.
Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
stack/btm/btm_acl.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff) stack/include/hcidefs.h (diff)| @@ -1085,7 +1085,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
| 1085 | 1085 | * Returns void |
| 1086 | 1086 | * |
| 1087 | 1087 | ******************************************************************************/ |
| 1088 | -void btm_read_remote_ext_features_complete(uint8_t* p) { | |
| 1088 | +void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
| 1089 | 1089 | tACL_CONN* p_acl_cb; |
| 1090 | 1090 | uint8_t page_num, max_page; |
| 1091 | 1091 | uint16_t handle; |
| @@ -1093,6 +1093,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
| 1093 | 1093 | |
| 1094 | 1094 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
| 1095 | 1095 | |
| 1096 | + if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
| 1097 | + android_errorWriteLog(0x534e4554, "141552859"); | |
| 1098 | + BTM_TRACE_ERROR( | |
| 1099 | + "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
| 1100 | + evt_len); | |
| 1101 | + return; | |
| 1102 | + } | |
| 1103 | + | |
| 1096 | 1104 | ++p; |
| 1097 | 1105 | STREAM_TO_UINT16(handle, p); |
| 1098 | 1106 | STREAM_TO_UINT8(page_num, p); |
| @@ -1112,6 +1120,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
| 1112 | 1120 | return; |
| 1113 | 1121 | } |
| 1114 | 1122 | |
| 1123 | + if (page_num > HCI_EXT_FEATURES_PAGE_MAX) { | |
| 1124 | + android_errorWriteLog(0x534e4554, "141552859"); | |
| 1125 | + BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
| 1126 | + page_num); | |
| 1127 | + return; | |
| 1128 | + } | |
| 1129 | + | |
| 1130 | + if (page_num > max_page) { | |
| 1131 | + BTM_TRACE_WARNING( | |
| 1132 | + "btm_read_remote_ext_features_complete num_page=%d, max_page=%d " | |
| 1133 | + "invalid", page_num, max_page); | |
| 1134 | + } | |
| 1135 | + | |
| 1115 | 1136 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
| 1116 | 1137 | |
| 1117 | 1138 | /* Copy the received features page */ |
| @@ -119,7 +119,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
| 119 | 119 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
| 120 | 120 | tBT_TRANSPORT transport); |
| 121 | 121 | extern void btm_read_remote_features_complete(uint8_t* p); |
| 122 | -extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
| 122 | +extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
| 123 | 123 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
| 124 | 124 | uint16_t handle); |
| 125 | 125 | extern void btm_read_remote_version_complete(uint8_t* p); |
| @@ -75,7 +75,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
| 75 | 75 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
| 76 | 76 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
| 77 | 77 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
| 78 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
| 78 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 79 | + uint8_t evt_len); | |
| 79 | 80 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
| 80 | 81 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
| 81 | 82 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
| @@ -295,7 +296,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 295 | 296 | btu_hcif_read_rmt_features_comp_evt(p); |
| 296 | 297 | break; |
| 297 | 298 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
| 298 | - btu_hcif_read_rmt_ext_features_comp_evt(p); | |
| 299 | + btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
| 299 | 300 | break; |
| 300 | 301 | case HCI_READ_RMT_VERSION_COMP_EVT: |
| 301 | 302 | btu_hcif_read_rmt_version_comp_evt(p); |
| @@ -1211,7 +1212,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
| 1211 | 1212 | * Returns void |
| 1212 | 1213 | * |
| 1213 | 1214 | ******************************************************************************/ |
| 1214 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
| 1215 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
| 1216 | + uint8_t evt_len) { | |
| 1215 | 1217 | uint8_t* p_cur = p; |
| 1216 | 1218 | uint8_t status; |
| 1217 | 1219 | uint16_t handle; |
| @@ -1219,7 +1221,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | ||
| 1219 | 1221 | STREAM_TO_UINT8(status, p_cur); |
| 1220 | 1222 | |
| 1221 | 1223 | if (status == HCI_SUCCESS) |
| 1222 | - btm_read_remote_ext_features_complete(p); | |
| 1224 | + btm_read_remote_ext_features_complete(p, evt_len); | |
| 1223 | 1225 | else { |
| 1224 | 1226 | STREAM_TO_UINT16(handle, p_cur); |
| 1225 | 1227 | btm_read_remote_ext_features_failed(status, handle); |
| @@ -1323,6 +1323,8 @@ typedef struct { | ||
| 1323 | 1323 | |
| 1324 | 1324 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
| 1325 | 1325 | |
| 1326 | +#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
| 1327 | + | |
| 1326 | 1328 | #define HCI_FEATURES_KNOWN(x) \ |
| 1327 | 1329 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
| 1328 | 1330 |
Fork