Fix potential OOB write in libbluetooth

Check event id if of register notification command from remote to avoid OOB write. Tag: #security Bug: 168802990 Test: atest net_test_btif Change-Id: I90834b920d61bfb2df9414a25d73ba40033e4748 Merged-In: I90834b920d61bfb2df9414a25d73ba40033e4748 (cherry picked from commit 5d37d17af57c70d7faa459b92e5b1a758a5a8adb)
author: Ted Wang <tedwang@google.com> 2020-10-06 20:20:16 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> 2020-11-18 22:51:53 +0000
commit: 783c7ec88031469291b007c3e5be52a656ce1891 (patch)
tree: 2b202ad9b33998ea9c6fbbd71e4b2620c8c432af
parent: 35fad6ff76f5bc4079b8e1cbee7bddae3e349222 (diff)
download: bt-783c7ec88031469291b007c3e5be52a656ce1891.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc
index f2396b45e..5a81d0d8a 100644
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -306,6 +306,13 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
         return AVRC_STS_INTERNAL_ERR;
       else {
         BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
+        if (!AVRC_IS_VALID_EVENT_ID(p_result->reg_notif.event_id)) {
+          android_errorWriteLog(0x534e4554, "168802990");
+          AVRC_TRACE_ERROR("%s: Invalid event id: %d", __func__,
+                           p_result->reg_notif.event_id);
+          return AVRC_STS_BAD_PARAM;
+        }
+
         BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
       }
       break;
author	Ted Wang <tedwang@google.com>	2020-10-06 20:20:16 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	2020-11-18 22:51:53 +0000
commit	783c7ec88031469291b007c3e5be52a656ce1891 (patch)
tree	2b202ad9b33998ea9c6fbbd71e4b2620c8c432af
parent	35fad6ff76f5bc4079b8e1cbee7bddae3e349222 (diff)
download	bt-783c7ec88031469291b007c3e5be52a656ce1891.tar.gz