diff options
author | Myles Watson <mylesgw@google.com> | 2018-01-10 09:51:28 -0800 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-18 22:43:41 +0000 |
commit | ee4d866f9b69e4149fc3ade50958c754f1b3b2dd (patch) | |
tree | b59c3204aa502cce323e062c3f8cb54c81f3e041 | |
parent | 3eb33a27c483f685be99eb327cbf9a05ffa12c58 (diff) | |
download | bt-ee4d866f9b69e4149fc3ade50958c754f1b3b2dd.tar.gz |
PAN: Fix Use-after-free in bta_pan_data_buf_ind_cback
Patch from b/67078939
Test: build
Bug: 67110692
Change-Id: I63b857d031c55d3a0754e4101e330843eb422b2a
(cherry picked from commit 2a18e724b2bf101ea38a5b089de56842107c8369)
-rw-r--r-- | bta/pan/bta_pan_act.cc | 13 | ||||
-rw-r--r-- | stack/bnep/bnep_main.cc | 1 |
2 files changed, 6 insertions, 8 deletions
diff --git a/bta/pan/bta_pan_act.cc b/bta/pan/bta_pan_act.cc index 0cbb9f79a..41e0bf6b4 100644 --- a/bta/pan/bta_pan_act.cc +++ b/bta/pan/bta_pan_act.cc @@ -174,6 +174,11 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, tBTA_PAN_SCB* p_scb; BT_HDR* p_new_buf; + p_scb = bta_pan_scb_by_handle(handle); + if (p_scb == NULL) { + return; + } + if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > @@ -181,7 +186,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, android_errorWriteLog(0x534e4554, "63146237"); APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, p_buf->len); - osi_free(p_buf); return; } p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); @@ -189,7 +193,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); p_new_buf->len = p_buf->len; p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); - osi_free(p_buf); } else { p_new_buf = p_buf; } @@ -200,12 +203,6 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->ext = ext; ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->forward = forward; - p_scb = bta_pan_scb_by_handle(handle); - if (p_scb == NULL) { - osi_free(p_new_buf); - return; - } - fixed_queue_enqueue(p_scb->data_queue, p_new_buf); BT_HDR* p_event = (BT_HDR*)osi_malloc(sizeof(BT_HDR)); p_event->layer_specific = handle; diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc index 475cc285b..cf7a91195 100644 --- a/stack/bnep/bnep_main.cc +++ b/stack/bnep/bnep_main.cc @@ -601,6 +601,7 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol, p_buf, fw_ext_present); + osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { (*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol, p, rem_len, fw_ext_present); |