diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-10-18 18:57:29 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-10-18 18:57:29 +0000 |
| commit | f2ab04aaaa66a14bbf8550aac7d0416c42e376b7 (patch) | |
| tree | 9dfea8f47ca670d344207cc952c2ac5b24456075 | |
| parent | becbc7fddb82957388935b1dd1e01ad5fd8c22ba (diff) | |
| parent | 4df518a6ebbfd979c4bd905cba5ae4985bb821c2 (diff) | |
| download | bt-android-platform-12.1.0_r12.tar.gz | |
Merge cherrypicks of [19747493, 19747691, 19680236, 19698630] into sc-v2-platform-release.android-platform-12.1.0_r12android-platform-12.1.0_r11android-platform-12.1.0_r10
Change-Id: If523d2e0ebb41608e1c958c9204570d088f2861c
| -rw-r--r-- | stack/avct/avct_lcb_act.cc | 15 | ||||
| -rw-r--r-- | stack/avdt/avdt_msg.cc | 6 | ||||
| -rw-r--r-- | stack/avdt/avdt_scb_act.cc | 2 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_ct.cc | 39 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_tg.cc | 2 | ||||
| -rw-r--r-- | stack/bnep/bnep_api.cc | 1 |
6 files changed, 31 insertions, 34 deletions
diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc index 9e32ee4e9..1b4197861 100644 --- a/stack/avct/avct_lcb_act.cc +++ b/stack/avct/avct_lcb_act.cc @@ -67,7 +67,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { pkt_type = AVCT_PKT_TYPE(p); /* quick sanity check on length */ - if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) { + if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || + (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { + if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > + BT_DEFAULT_BUFFER_SIZE) { + android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); + } osi_free(p_buf); AVCT_TRACE_WARNING("Bad length during reassembly"); p_ret = NULL; @@ -88,13 +93,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { if (p_lcb->p_rx_msg != NULL) AVCT_TRACE_WARNING("Got start during reassembly"); - osi_free(p_lcb->p_rx_msg); + osi_free_and_reset((void**)&p_lcb->p_rx_msg); /* * Allocate bigger buffer for reassembly. As lower layers are * not aware of possible packet size after reassembly, they * would have allocated smaller buffer. */ + if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { + android_errorWriteLog(0x534e4554, "232023771"); + osi_free(p_buf); + p_ret = NULL; + return p_ret; + } p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc index 41b9f9a89..d0c54343c 100644 --- a/stack/avdt/avdt_msg.cc +++ b/stack/avdt/avdt_msg.cc @@ -1250,11 +1250,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { * not aware of possible packet size after reassembly, they * would have allocated smaller buffer. */ - p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteLog(0x534e4554, "232023771"); - return NULL; + osi_free(p_buf); + p_ret = NULL; + return p_ret; } + p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); /* Free original buffer */ diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc index fdf5570ab..fcb082bc1 100644 --- a/stack/avdt/avdt_scb_act.cc +++ b/stack/avdt/avdt_scb_act.cc @@ -310,7 +310,7 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { uint8_t* p_start = p; uint32_t ssrc; uint8_t o_v, o_p, o_cc; - uint16_t min_len = 0; + uint32_t min_len = 0; AVDT_REPORT_TYPE pt; tAVDT_REPORT_DATA report; diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc index db3ee7594..2d6f8b264 100644 --- a/stack/avrc/avrc_pars_ct.cc +++ b/stack/avrc/avrc_pars_ct.cc @@ -141,7 +141,7 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, tAVRC_STS avrc_parse_notification_rsp(uint8_t* p_stream, uint16_t len, tAVRC_REG_NOTIF_RSP* p_rsp) { - uint16_t min_len = 1; + uint32_t min_len = 1; if (len < min_len) goto length_error; BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream); @@ -237,7 +237,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, } BE_STREAM_TO_UINT8(pdu, p); uint16_t pkt_len; - uint16_t min_len = 0; + uint32_t min_len = 0; /* read the entire packet len */ BE_STREAM_TO_UINT16(pkt_len, p); @@ -279,7 +279,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, get_item_rsp->uid_counter, get_item_rsp->item_count); /* get each of the items */ - get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_malloc( + get_item_rsp->p_item_list = (tAVRC_ITEM*)osi_calloc( get_item_rsp->item_count * (sizeof(tAVRC_ITEM))); tAVRC_ITEM* curr_item = get_item_rsp->p_item_list; for (int i = 0; i < get_item_rsp->item_count; i++) { @@ -369,7 +369,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, __func__, media->type, media->name.charset_id, media->name.str_len, media->attr_count); - media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_malloc( + media->p_attr_list = (tAVRC_ATTR_ENTRY*)osi_calloc( media->attr_count * sizeof(tAVRC_ATTR_ENTRY)); for (int jk = 0; jk < media->attr_count; jk++) { tAVRC_ATTR_ENTRY* attr_entry = &(media->p_attr_list[jk]); @@ -380,14 +380,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, /* Parse the name now */ BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); - if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) < - min_len) { - // Check for overflow - android_errorWriteLog(0x534e4554, "205570663"); - } - if (pkt_len - min_len < attr_entry->name.str_len) - goto browse_length_error; min_len += attr_entry->name.str_len; + if (pkt_len < min_len) goto browse_length_error; attr_entry->name.p_str = (uint8_t*)osi_malloc( attr_entry->name.str_len * sizeof(uint8_t)); BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, @@ -441,7 +435,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, } BE_STREAM_TO_UINT8(get_attr_rsp->status, p) BE_STREAM_TO_UINT8(get_attr_rsp->num_attrs, p); - get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_malloc( + get_attr_rsp->p_attrs = (tAVRC_ATTR_ENTRY*)osi_calloc( get_attr_rsp->num_attrs * sizeof(tAVRC_ATTR_ENTRY)); for (int i = 0; i < get_attr_rsp->num_attrs; i++) { tAVRC_ATTR_ENTRY* attr_entry = &(get_attr_rsp->p_attrs[i]); @@ -450,14 +444,8 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, BE_STREAM_TO_UINT32(attr_entry->attr_id, p); BE_STREAM_TO_UINT16(attr_entry->name.charset_id, p); BE_STREAM_TO_UINT16(attr_entry->name.str_len, p); - if (static_cast<uint16_t>(min_len + attr_entry->name.str_len) < - min_len) { - // Check for overflow - android_errorWriteLog(0x534e4554, "205570663"); - } - if (pkt_len - min_len < attr_entry->name.str_len) - goto browse_length_error; min_len += attr_entry->name.str_len; + if (pkt_len < min_len) goto browse_length_error; attr_entry->name.p_str = (uint8_t*)osi_malloc(attr_entry->name.str_len * sizeof(uint8_t)); BE_STREAM_TO_ARRAY(p, attr_entry->name.p_str, attr_entry->name.str_len); @@ -493,7 +481,7 @@ static tAVRC_STS avrc_pars_browse_rsp(tAVRC_MSG_BROWSE* p_msg, __func__, set_br_pl_rsp->status, set_br_pl_rsp->num_items, set_br_pl_rsp->charset_id, set_br_pl_rsp->folder_depth); - set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_malloc( + set_br_pl_rsp->p_folders = (tAVRC_NAME*)osi_calloc( set_br_pl_rsp->folder_depth * sizeof(tAVRC_NAME)); /* Read each of the folder in the depth */ @@ -553,7 +541,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p++; /* skip the reserved/packe_type byte */ uint16_t len; - uint16_t min_len = 0; + uint32_t min_len = 0; BE_STREAM_TO_UINT16(len, p); AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d vendor_len=0x%x", __func__, p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len); @@ -827,12 +815,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p); BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p); - if (static_cast<uint16_t>(min_len + p_attrs[i].name.str_len) < - min_len) { - // Check for overflow - android_errorWriteLog(0x534e4554, "205570663"); - } - if (len - min_len < p_attrs[i].name.str_len) { + min_len += p_attrs[i].name.str_len; + if (len < min_len) { for (int j = 0; j < i; j++) { osi_free(p_attrs[j].name.p_str); } @@ -840,7 +824,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_attrs.num_attrs = 0; goto length_error; } - min_len += p_attrs[i].name.str_len; if (p_attrs[i].name.str_len > 0) { p_attrs[i].name.p_str = (uint8_t*)osi_calloc(p_attrs[i].name.str_len); diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc index 8d239b21e..fdd1c06cb 100644 --- a/stack/avrc/avrc_pars_tg.cc +++ b/stack/avrc/avrc_pars_tg.cc @@ -437,7 +437,7 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, uint8_t* p = p_msg->p_browse_data; int count; - uint16_t min_len = 3; + uint32_t min_len = 3; RETURN_STATUS_IF_FALSE(AVRC_STS_BAD_CMD, (p_msg->browse_len >= min_len), "msg too short"); diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc index 455dc168d..099637089 100644 --- a/stack/bnep/bnep_api.cc +++ b/stack/bnep/bnep_api.cc @@ -256,6 +256,7 @@ tBNEP_RESULT BNEP_ConnectResp(uint16_t handle, tBNEP_RESULT resp) { p = (uint8_t*)(p_bcb->p_pending_data + 1) + p_bcb->p_pending_data->offset; while (extension_present && p && rem_len) { ext_type = *p++; + rem_len--; extension_present = ext_type >> 7; ext_type &= 0x7F; |