diff options
author | Hui Peng <phui@google.com> | 2023-12-14 16:29:54 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-12-16 02:03:51 +0000 |
commit | a8477ca8bf4354e73f42a8d9b6bb857b3dc64ddd (patch) | |
tree | 832edd2b79223a94ac15cf111180bce65bc27940 | |
parent | c7d828dc60cef5d991b2e49984ecb7732562b368 (diff) | |
download | bt-a8477ca8bf4354e73f42a8d9b6bb857b3dc64ddd.tar.gz |
Revert "[conflict] Fix an OOB write bug in attp_build_value_cmd am: ddca760763 am: f1d188c940"
This reverts commit 936dfb1c72137d1e53479afccd5bf5e37018c340.
Reason for revert: b/315127634
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:2fbe22151b079c9128b8c3e65c01b6f959b2f698)
Merged-In: I331a93adbf534b44a2b6aade17469c27ce13cdb6
Change-Id: I331a93adbf534b44a2b6aade17469c27ce13cdb6
-rw-r--r-- | stack/gatt/att_protocol.cc | 60 |
1 files changed, 14 insertions, 46 deletions
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc index 8031090a4..e7d22c508 100644 --- a/stack/gatt/att_protocol.cc +++ b/stack/gatt/att_protocol.cc @@ -278,81 +278,49 @@ static BT_HDR* attp_build_opcode_cmd(uint8_t op_code) { * Returns None. * ******************************************************************************/ -BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, - uint16_t handle, uint16_t offset, uint16_t len, - uint8_t* p_data) { - uint8_t *p, *pp, *p_pair_len; - size_t pair_len; - size_t size_now = 1; - - #define CHECK_SIZE() do { \ - if (size_now > payload_size) { \ - LOG(ERROR) << "payload size too small"; \ - osi_free(p_buf); \ - return nullptr; \ - } \ - } while (false) - +static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, + uint16_t handle, uint16_t offset, + uint16_t len, uint8_t* p_data) { + uint8_t *p, *pp, pair_len, *p_pair_len; BT_HDR* p_buf = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET); p = pp = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET; - - CHECK_SIZE(); UINT8_TO_STREAM(p, op_code); p_buf->offset = L2CAP_MIN_OFFSET; + p_buf->len = 1; if (op_code == GATT_RSP_READ_BY_TYPE) { p_pair_len = p; pair_len = len + 2; - size_now += 1; - CHECK_SIZE(); - // this field will be backfilled in the end of this function + UINT8_TO_STREAM(p, pair_len); + p_buf->len += 1; } if (op_code != GATT_RSP_READ_BLOB && op_code != GATT_RSP_READ) { - size_now += 2; - CHECK_SIZE(); UINT16_TO_STREAM(p, handle); + p_buf->len += 2; } if (op_code == GATT_REQ_PREPARE_WRITE || op_code == GATT_RSP_PREPARE_WRITE) { - size_now += 2; - CHECK_SIZE(); UINT16_TO_STREAM(p, offset); + p_buf->len += 2; } - if (len > 0 && p_data != NULL && payload_size > size_now) { + if (len > 0 && p_data != NULL) { /* ensure data not exceed MTU size */ - if (payload_size - size_now < len) { - len = payload_size - size_now; + if (payload_size - p_buf->len < len) { + len = payload_size - p_buf->len; /* update handle value pair length */ - if (op_code == GATT_RSP_READ_BY_TYPE) { - pair_len = (len + 2); - } + if (op_code == GATT_RSP_READ_BY_TYPE) *p_pair_len = (len + 2); LOG(WARNING) << StringPrintf( "attribute value too long, to be truncated to %d", len); } - size_now += len; - CHECK_SIZE(); ARRAY_TO_STREAM(p, p_data, len); + p_buf->len += len; } - // backfill pair len field - if (op_code == GATT_RSP_READ_BY_TYPE) { - if (pair_len > UINT8_MAX) { - LOG(ERROR) << "pair_len greater than" << UINT8_MAX; - osi_free(p_buf); - return nullptr; - } - - *p_pair_len = (uint8_t) pair_len; - } - - #undef CHECK_SIZE - - p_buf->len = (uint16_t) size_now; return p_buf; } |