diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-14 17:33:21 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-07-14 17:33:21 +0000 |
commit | f92524d2199ea33fbb7b205ac07f5b5c02e6a550 (patch) | |
tree | ac6bb139df3b54a57d1b235be3de34e4e09585bd | |
parent | 4ea658d85349d007e9265696730b6adfa082b088 (diff) | |
parent | 3a5cfc9d4fdca092bebd61160c24e5ad39aab010 (diff) | |
download | bt-f92524d2199ea33fbb7b205ac07f5b5c02e6a550.tar.gz |
Merge cherrypicks of ['googleplex-android-review.googlesource.com/22939797', 'googleplex-android-review.googlesource.com/23267812', 'googleplex-android-review.googlesource.com/23353147', 'googleplex-android-review.googlesource.com/22912152', 'googleplex-android-review.googlesource.com/23524098'] into security-aosp-rvc-release.
Change-Id: Ibeac98594578954af203154e2a5c2101f41240da
-rw-r--r-- | bta/av/bta_av_aact.cc | 5 | ||||
-rw-r--r-- | bta/av/bta_av_act.cc | 5 | ||||
-rw-r--r-- | stack/avdt/avdt_msg.cc | 4 | ||||
-rw-r--r-- | stack/gatt/gatt_cl.cc | 7 | ||||
-rw-r--r-- | stack/gatt/gatt_sr.cc | 17 |
5 files changed, 26 insertions, 12 deletions
diff --git a/bta/av/bta_av_aact.cc b/bta/av/bta_av_aact.cc index 29dcea07b..4bb26fd41 100644 --- a/bta/av/bta_av_aact.cc +++ b/bta/av/bta_av_aact.cc @@ -1798,14 +1798,13 @@ void bta_av_getcap_results(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { ******************************************************************************/ void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { tBTA_AV_REJECT reject; - uint8_t avdt_handle = p_data->ci_setconfig.avdt_handle; - bta_av_adjust_seps_idx(p_scb, avdt_handle); + bta_av_adjust_seps_idx(p_scb, p_scb->avdt_handle); LOG_DEBUG(LOG_TAG, "%s: sep_idx=%d avdt_handle=%d bta_handle=0x%x", __func__, p_scb->sep_idx, p_scb->avdt_handle, p_scb->hndl); AVDT_ConfigRsp(p_scb->avdt_handle, p_scb->avdt_label, AVDT_ERR_UNSUP_CFG, 0); - reject.bd_addr = p_data->str_msg.bd_addr; + reject.bd_addr = p_scb->PeerAddress(); reject.hndl = p_scb->hndl; tBTA_AV bta_av_data; diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc index 533b15dfa..20696bd90 100644 --- a/bta/av/bta_av_act.cc +++ b/bta/av/bta_av_act.cc @@ -1008,7 +1008,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) { av.remote_cmd.rc_handle = p_data->rc_msg.handle; (*p_cb->p_cback)(evt, &av); /* If browsing message, then free the browse message buffer */ - bta_av_rc_free_browse_msg(p_cb, p_data); + if (p_data->rc_msg.opcode == AVRC_OP_BROWSE && + p_data->rc_msg.msg.browse.p_browse_pkt != NULL) { + bta_av_rc_free_browse_msg(p_cb, p_data); + } } } diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc index bf83d191e..3f8713c0b 100644 --- a/stack/avdt/avdt_msg.cc +++ b/stack/avdt/avdt_msg.cc @@ -1289,14 +1289,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { * NOTE: The buffer is allocated above at the beginning of the * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE. */ - uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); + size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR); /* adjust offset and len of fragment for header byte */ p_buf->offset += AVDT_LEN_TYPE_CONT; p_buf->len -= AVDT_LEN_TYPE_CONT; /* verify length */ - if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) { + if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) { /* won't fit; free everything */ AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__); osi_free_and_reset((void**)&p_ccb->p_rx_msg); diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc index ff1e5af55..14732cdb0 100644 --- a/stack/gatt/gatt_cl.cc +++ b/stack/gatt/gatt_cl.cc @@ -586,12 +586,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, memcpy(value.value, p, value.len); + bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE); + if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) { gatt_send_prepare_write(tcb, p_clcb); return; } - if (p_clcb->op_subtype == GATT_WRITE_PREPARE) { + // We now know that we have not terminated, or else we would have returned + // early. We free the buffer only if the subtype is not equal to + // GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF. + if (subtype_is_write_prepare) { /* application should verify handle offset and value are matched or not */ gatt_end_operation(p_clcb, p_clcb->status, &value); diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc index 4b4b5da6f..252732c73 100644 --- a/stack/gatt/gatt_sr.cc +++ b/stack/gatt/gatt_sr.cc @@ -114,7 +114,8 @@ void gatt_dequeue_sr_cmd(tGATT_TCB& tcb) { ******************************************************************************/ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, tGATTS_RSP* p_msg, uint16_t mtu) { - uint16_t ii, total_len, len; + uint16_t ii; + size_t total_len, len; uint8_t* p; bool is_overflow = false; @@ -169,16 +170,22 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, len = p_rsp->attr_value.len - (total_len - mtu); is_overflow = true; VLOG(1) << StringPrintf( - "multi read overflow available len=%d val_len=%d", len, + "multi read overflow available len=%zu val_len=%d", len, p_rsp->attr_value.len); } else { len = p_rsp->attr_value.len; } if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { - memcpy(p, p_rsp->attr_value.value, len); - if (!is_overflow) p += len; - p_buf->len += len; + // check for possible integer overflow + if (p_buf->len + len <= UINT16_MAX) { + memcpy(p, p_rsp->attr_value.value, len); + if (!is_overflow) p += len; + p_buf->len += len; + } else { + p_cmd->status = GATT_NOT_FOUND; + break; + } } else { p_cmd->status = GATT_NOT_FOUND; break; |