OSDN > 開発者 > hafixie93 > 作業部屋 > system-bt > コミット

system-bt
Fork

コミット

DO NOT MERGE process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: Ieef322a3ad4cebcaf40e5388584d3a04a4761d2e
(cherry picked from commit 38f07a3c93143ca31229f0caa5b1a270dc1f5401)

--- a/stack/l2cap/l2c_main.c

+++ b/stack/l2cap/l2c_main.c

		@@ -490,7 +490,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
490	490	{
491	491	case L2CAP_CFG_TYPE_MTU:
492	492	cfg_info.mtu_present = TRUE;
493		- if (p + 2 > p_next_cmd) {
	493	+ if (cfg_len != 2) {
	494	+ android_errorWriteLog(0x534e4554, "119870451");
	495	+ return;
	496	+ }
	497	+ if (p + cfg_len > p_next_cmd) {
494	498	android_errorWriteLog(0x534e4554, "74202041");
495	499	return;
496	500	}

		@@ -499,7 +503,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
499	503
500	504	case L2CAP_CFG_TYPE_FLUSH_TOUT:
501	505	cfg_info.flush_to_present = TRUE;
502		- if (p + 2 > p_next_cmd) {
	506	+ if (cfg_len != 2) {
	507	+ android_errorWriteLog(0x534e4554, "119870451");
	508	+ return;
	509	+ }
	510	+ if (p + cfg_len > p_next_cmd) {
503	511	android_errorWriteLog(0x534e4554, "74202041");
504	512	return;
505	513	}

		@@ -508,7 +516,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
508	516
509	517	case L2CAP_CFG_TYPE_QOS:
510	518	cfg_info.qos_present = TRUE;
511		- if (p + 2 + 5 * 4 > p_next_cmd) {
	519	+ if (cfg_len != 2 + 5 * 4) {
	520	+ android_errorWriteLog(0x534e4554, "119870451");
	521	+ return;
	522	+ }
	523	+ if (p + cfg_len > p_next_cmd) {
512	524	android_errorWriteLog(0x534e4554, "74202041");
513	525	return;
514	526	}

		@@ -523,7 +535,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
523	535
524	536	case L2CAP_CFG_TYPE_FCR:
525	537	cfg_info.fcr_present = TRUE;
526		- if (p + 3 + 3 * 2 > p_next_cmd) {
	538	+ if (cfg_len != 3 + 3 * 2) {
	539	+ android_errorWriteLog(0x534e4554, "119870451");
	540	+ return;
	541	+ }
	542	+ if (p + cfg_len > p_next_cmd) {
527	543	android_errorWriteLog(0x534e4554, "74202041");
528	544	return;
529	545	}

		@@ -537,7 +553,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
537	553
538	554	case L2CAP_CFG_TYPE_FCS:
539	555	cfg_info.fcs_present = TRUE;
540		- if (p + 1 > p_next_cmd) {
	556	+ if (cfg_len != 1) {
	557	+ android_errorWriteLog(0x534e4554, "119870451");
	558	+ return;
	559	+ }
	560	+ if (p + cfg_len > p_next_cmd) {
541	561	android_errorWriteLog(0x534e4554, "74202041");
542	562	return;
543	563	}

		@@ -546,7 +566,11 @@ static void process_l2cap_cmd (tL2C_LCB p_lcb, UINT8 p, UINT16 pkt_len)
546	566
547	567	case L2CAP_CFG_TYPE_EXT_FLOW:
548	568	cfg_info.ext_flow_spec_present = TRUE;
549		- if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
	569	+ if (cfg_len != 1 + 2 + 3 * 4) {
	570	+ android_errorWriteLog(0x534e4554, "119870451");
	571	+ return;
	572	+ }
	573	+ if (p + cfg_len > p_next_cmd) {
550	574	android_errorWriteLog(0x534e4554, "74202041");
551	575	return;
552	576	}

--- a/stack/l2cap/l2c_utils.c

+++ b/stack/l2cap/l2c_utils.c

		@@ -859,6 +859,9 @@ void l2cu_send_peer_config_rej (tL2C_CCB p_ccb, UINT8 p_data, UINT16 data_len,
859	859	case L2CAP_CFG_TYPE_MTU:
860	860	case L2CAP_CFG_TYPE_FLUSH_TOUT:
861	861	case L2CAP_CFG_TYPE_QOS:
	862	+ case L2CAP_CFG_TYPE_FCR:
	863	+ case L2CAP_CFG_TYPE_FCS:
	864	+ case L2CAP_CFG_TYPE_EXT_FLOW:
862	865	p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
863	866	break;
864	867