diff options
| author | Hansong Zhang <hsz@google.com> | 2018-01-10 13:43:25 -0800 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-18 19:08:06 +0000 |
| commit | a50e70468c0a8d207e416e273d05a08635bdd45f (patch) | |
| tree | 49206a08e59ca69fcb1c8b12fd803b0ddeb6c6e9 | |
| parent | f0edf6571d2d58e66ee0b100ebe49c585d31489f (diff) | |
| download | bt-a50e70468c0a8d207e416e273d05a08635bdd45f.tar.gz | |
Fix unexpected behavior in reading BNEP packets
Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 9844ddac4c0aaf217326c56f2814d145c11eb042)
| -rw-r--r-- | stack/bnep/bnep_main.cc | 13 | ||||
| -rw-r--r-- | stack/bnep/bnep_utils.cc | 23 |
2 files changed, 32 insertions, 4 deletions
diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc index ce09c47f7..475cc285b 100644 --- a/stack/bnep/bnep_main.cc +++ b/stack/bnep/bnep_main.cc @@ -34,6 +34,7 @@ #include "l2c_api.h" #include "l2cdefs.h" +#include "log/log.h" #include "btm_api.h" #include "btu.h" @@ -474,18 +475,20 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { org_len = rem_len; new_len = 0; do { + if (org_len < 2) break; ext = *p++; length = *p++; p += length; + new_len = (length + 2); + if (new_len > org_len) break; + if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG)) bnep_send_command_not_understood(p_bcb, *p); - new_len += (length + 2); - - if (new_len > org_len) break; - + org_len -= new_len; } while (ext & 0x80); + android_errorWriteLog(0x534e4554, "67863755"); } osi_free(p_buf); @@ -530,6 +533,8 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { } else { while (extension_present && p && rem_len) { ext_type = *p++; + rem_len--; + android_errorWriteLog(0x534e4554, "69271284"); extension_present = ext_type >> 7; ext_type &= 0x7F; diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc index a3626350f..3bab9eebd 100644 --- a/stack/bnep/bnep_utils.cc +++ b/stack/bnep/bnep_utils.cc @@ -22,6 +22,8 @@ * ******************************************************************************/ +#include <cutils/log.h> + #include <stdio.h> #include <string.h> #include "bnep_int.h" @@ -750,6 +752,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: + if (*rem_len < 1) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } len = *p++; if (*rem_len < ((2 * len) + 1)) { BNEP_TRACE_ERROR( @@ -775,6 +784,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_NET_TYPE_SET_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( @@ -800,6 +816,13 @@ uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p, break; case BNEP_FILTER_MULTI_ADDR_SET_MSG: + if (*rem_len < 2) { + BNEP_TRACE_ERROR( + "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", + __func__); + android_errorWriteLog(0x534e4554, "69177292"); + goto bad_packet_length; + } BE_STREAM_TO_UINT16(len, p); if (*rem_len < (len + 2)) { BNEP_TRACE_ERROR( |