system/bt
リビジョン | e7e90a7d032db429ccfb80a7c046d6128162e326 (tree) |
---|---|
日時 | 2018-09-08 02:30:18 |
作者 | Pavlin Radoslavov <pavlin@goog...> |
コミッター | Ryan Longair |
DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses
Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
(cherry picked from commit 8148397ca29a4795dffdd6daadc33af43aa9694f)
@@ -56,14 +56,34 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p | ||
56 | 56 | if (p_msg->p_vendor_data == NULL) |
57 | 57 | return AVRC_STS_INTERNAL_ERR; |
58 | 58 | |
59 | + if (p_msg->vendor_len < 4) { | |
60 | + android_errorWriteLog(0x534e4554, "111450531"); | |
61 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4", | |
62 | + __func__, p_msg->vendor_len); | |
63 | + return AVRC_STS_INTERNAL_ERR; | |
64 | + } | |
59 | 65 | p = p_msg->p_vendor_data; |
60 | 66 | BE_STREAM_TO_UINT8 (p_result->pdu, p); |
61 | 67 | p++; /* skip the reserved/packe_type byte */ |
62 | 68 | BE_STREAM_TO_UINT16 (len, p); |
63 | - AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x", | |
64 | - __func__, p_msg->hdr.ctype, p_result->pdu, len, len); | |
69 | + AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x", | |
70 | + __func__, p_msg->hdr.ctype, p_result->pdu, len, len, | |
71 | + p_msg->vendor_len); | |
72 | + if (p_msg->vendor_len < len + 4) { | |
73 | + android_errorWriteLog(0x534e4554, "111450531"); | |
74 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", | |
75 | + __func__, p_msg->vendor_len, len + 4); | |
76 | + return AVRC_STS_INTERNAL_ERR; | |
77 | + } | |
78 | + | |
65 | 79 | if (p_msg->hdr.ctype == AVRC_RSP_REJ) |
66 | 80 | { |
81 | + if (len < 1) { | |
82 | + android_errorWriteLog(0x534e4554, "111450531"); | |
83 | + AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1", | |
84 | + __func__, len); | |
85 | + return AVRC_STS_INTERNAL_ERR; | |
86 | + } | |
67 | 87 | p_result->rsp.status = *p; |
68 | 88 | return p_result->rsp.status; |
69 | 89 | } |
@@ -86,11 +106,25 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p | ||
86 | 106 | |
87 | 107 | case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */ |
88 | 108 | #if (AVRC_ADV_CTRL_INCLUDED == TRUE) |
109 | + if (len < 1) { | |
110 | + android_errorWriteLog(0x534e4554, "111450531"); | |
111 | + AVRC_TRACE_WARNING( | |
112 | + "%s: invalid parameter length %d: must be at least 1", __func__, | |
113 | + len); | |
114 | + return AVRC_STS_INTERNAL_ERR; | |
115 | + } | |
89 | 116 | BE_STREAM_TO_UINT8 (eventid, p); |
90 | 117 | if(AVRC_EVT_VOLUME_CHANGE==eventid |
91 | 118 | && (AVRC_RSP_CHANGED==p_msg->hdr.ctype || AVRC_RSP_INTERIM==p_msg->hdr.ctype |
92 | 119 | || AVRC_RSP_REJ==p_msg->hdr.ctype || AVRC_RSP_NOT_IMPL==p_msg->hdr.ctype)) |
93 | 120 | { |
121 | + if (len < 2) { | |
122 | + android_errorWriteLog(0x534e4554, "111450531"); | |
123 | + AVRC_TRACE_WARNING( | |
124 | + "%s: invalid parameter length %d: must be at least 2", __func__, | |
125 | + len); | |
126 | + return AVRC_STS_INTERNAL_ERR; | |
127 | + } | |
94 | 128 | p_result->reg_notif.status=p_msg->hdr.ctype; |
95 | 129 | p_result->reg_notif.event_id=eventid; |
96 | 130 | BE_STREAM_TO_UINT8 (p_result->reg_notif.param.volume, p); |