diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-25 18:42:20 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-25 18:42:20 +0000 |
commit | be77fe9c295a17a449309bc1d3501a3bc6ce5c4f (patch) | |
tree | c4c4967fd140f932f5cf2aa0e7c5c7d8801f646d | |
parent | 6bde1f2e5c1700370fe98eba5e7b00b13debe68b (diff) | |
parent | f1c2c86080bcd7b3142ff821441696fc99c2bc9a (diff) | |
download | bt-oreo-m6-s2-release.tar.gz |
Merge cherrypicks of [4195294, 4195296, 4195440, 4195441, 4186165, 4186166, 4186580, 4195442, 4195443, 4186193, 4186194, 4186195, 4186196, 4186607, 4195444, 4195297, 4186608, 4186609, 4186610, 4186611, 4186612, 4186613, 4186614, 4186649, 4186650, 4186651, 4186652, 4186653, 4186654, 4186655, 4186656, 4186657, 4195518, 4195519, 4195520, 4195521, 4195522, 4186406, 4186407, 4186408, 4195523, 4195558, 4195559, 4186197, 4195524, 4186615, 4195445, 4195446, 4186829, 4186830, 4186831, 4186832, 4186833, 4186834, 4186835, 4186836, 4186837, 4195578, 4195579, 4195580, 4195581, 4195447, 4186581, 4195448, 4195560] into sparse-4749909-L06000000176800346android-8.1.0_r41oreo-m6-s2-release
Change-Id: I81960fc50b6324e0a6d23936980b80a5de1a1676
-rw-r--r-- | bta/dm/bta_dm_act.cc | 21 | ||||
-rw-r--r-- | bta/pan/bta_pan_act.cc | 34 | ||||
-rw-r--r-- | btif/src/btif_rc.cc | 7 | ||||
-rw-r--r-- | btif/src/btif_storage.cc | 4 | ||||
-rw-r--r-- | stack/avrc/avrc_pars_ct.cc | 4 | ||||
-rw-r--r-- | stack/bnep/bnep_api.cc | 9 | ||||
-rw-r--r-- | stack/bnep/bnep_main.cc | 1 | ||||
-rw-r--r-- | stack/gatt/gatt_sr.cc | 29 | ||||
-rw-r--r-- | stack/l2cap/l2c_ble.cc | 5 | ||||
-rw-r--r-- | stack/l2cap/l2c_fcr.cc | 22 | ||||
-rw-r--r-- | stack/l2cap/l2c_main.cc | 104 | ||||
-rw-r--r-- | stack/pan/pan_main.cc | 12 | ||||
-rw-r--r-- | stack/smp/p_256_ecc_pp.cc | 22 | ||||
-rw-r--r-- | stack/smp/p_256_ecc_pp.h | 3 | ||||
-rw-r--r-- | stack/smp/smp_act.cc | 12 | ||||
-rw-r--r-- | stack/smp/smp_main.cc | 8 |
16 files changed, 254 insertions, 43 deletions
diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc index 187bc68e0..175e3faf2 100644 --- a/bta/dm/bta_dm_act.cc +++ b/bta/dm/bta_dm_act.cc @@ -28,6 +28,7 @@ #include <base/bind.h> #include <base/callback.h> #include <base/logging.h> +#include <cutils/log.h> #include <string.h> #include "bt_common.h" @@ -146,6 +147,8 @@ static void bta_dm_ctrl_features_rd_cmpl_cback(tBTM_STATUS result); #define BTA_DM_SWITCH_DELAY_TIMER_MS 500 #endif +#define BTA_MAX_SERVICES 32 + static void bta_dm_reset_sec_dev_pending(const RawAddress& remote_bd_addr); static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr); static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir, @@ -1486,7 +1489,7 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) { tBT_UUID service_uuid; uint32_t num_uuids = 0; - uint8_t uuid_list[32][MAX_UUID_SIZE]; // assuming a max of 32 services + uint8_t uuid_list[BTA_MAX_SERVICES][MAX_UUID_SIZE]; // assuming a max of 32 services if ((p_data->sdp_event.sdp_result == SDP_SUCCESS) || (p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) || @@ -1554,8 +1557,12 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) { bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index - 1]; /* Add to the list of UUIDs */ - sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]); - num_uuids++; + if (num_uuids < BTA_MAX_SERVICES) { + sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]); + num_uuids++; + } else { + android_errorWriteLog(0x534e4554, "74016921"); + } } } } @@ -1587,8 +1594,12 @@ void bta_dm_sdp_result(tBTA_DM_MSG* p_data) { SDP_FindServiceInDb_128bit(bta_dm_search_cb.p_sdp_db, p_sdp_rec); if (p_sdp_rec) { if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) { - memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE); - num_uuids++; + if (num_uuids < BTA_MAX_SERVICES) { + memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE); + num_uuids++; + } else { + android_errorWriteLog(0x534e4554, "74016921"); + } } } } while (p_sdp_rec); diff --git a/bta/pan/bta_pan_act.cc b/bta/pan/bta_pan_act.cc index 41e0bf6b4..789cce8e3 100644 --- a/bta/pan/bta_pan_act.cc +++ b/bta/pan/bta_pan_act.cc @@ -171,31 +171,25 @@ static void bta_pan_data_flow_cb(uint16_t handle, tPAN_RESULT result) { static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src, const RawAddress& dst, uint16_t protocol, BT_HDR* p_buf, bool ext, bool forward) { - tBTA_PAN_SCB* p_scb; - BT_HDR* p_new_buf; - - p_scb = bta_pan_scb_by_handle(handle); + tBTA_PAN_SCB* p_scb = bta_pan_scb_by_handle(handle); if (p_scb == NULL) { return; } - if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { - /* offset smaller than data structure in front of actual data */ - if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > - PAN_BUF_SIZE) { - android_errorWriteLog(0x534e4554, "63146237"); - APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, - p_buf->len); - return; - } - p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); - memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), - (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); - p_new_buf->len = p_buf->len; - p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); - } else { - p_new_buf = p_buf; + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > + PAN_BUF_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, + p_buf->len); + return; } + + BT_HDR* p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE); + memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), + (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); + p_new_buf->len = p_buf->len; + p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS); + /* copy params into the space before the data */ ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->src = src; ((tBTA_PAN_DATA_PARAMS*)p_new_buf)->dst = dst; diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc index fc10b8b61..edd073062 100644 --- a/btif/src/btif_rc.cc +++ b/btif/src/btif_rc.cc @@ -45,6 +45,7 @@ #include "btif_util.h" #include "btu.h" #include "device/include/interop.h" +#include "log/log.h" #include "osi/include/list.h" #include "osi/include/osi.h" #include "osi/include/properties.h" @@ -3502,6 +3503,12 @@ static void handle_app_cur_val_response(tBTA_AV_META_MSG* pmeta_msg, RawAddress rc_addr = p_dev->rc_addr; app_settings.num_attr = p_rsp->num_val; + + if (app_settings.num_attr > BTRC_MAX_APP_SETTINGS) { + android_errorWriteLog(0x534e4554, "73824150"); + app_settings.num_attr = BTRC_MAX_APP_SETTINGS; + } + for (xx = 0; xx < app_settings.num_attr; xx++) { app_settings.attr_ids[xx] = p_rsp->p_vals[xx].attr_id; app_settings.attr_values[xx] = p_rsp->p_vals[xx].attr_val; diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc index 9d4a84ed0..1c34787b2 100644 --- a/btif/src/btif_storage.cc +++ b/btif/src/btif_storage.cc @@ -235,6 +235,10 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) { bt_uuid_t* p_uuid = (bt_uuid_t*)prop->val + i; memset(buf, 0, sizeof(buf)); uuid_to_string_legacy(p_uuid, buf, sizeof(buf)); + if (strlen(value) + strlen(buf) + 1 > (int) sizeof(value) - 1) { + android_errorWriteLog(0x534e4554, "73963551"); + return false; + } strcat(value, buf); // strcat(value, ";"); strcat(value, " "); diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc index 334362449..fbfeeaf9f 100644 --- a/stack/avrc/avrc_pars_ct.cc +++ b/stack/avrc/avrc_pars_ct.cc @@ -119,6 +119,10 @@ void avrc_parse_notification_rsp(uint8_t* p_stream, case AVRC_EVT_APP_SETTING_CHANGE: BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream); + if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) { + android_errorWriteLog(0x534e4554, "73782082"); + p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS; + } for (int index = 0; index < p_rsp->param.player_setting.num_attr; index++) { BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc index 923ce5093..e5d3c0948 100644 --- a/stack/bnep/bnep_api.cc +++ b/stack/bnep/bnep_api.cc @@ -23,6 +23,7 @@ ******************************************************************************/ #include "bnep_api.h" +#include <log/log.h> #include <string.h> #include "bnep_int.h" @@ -383,6 +384,10 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr, protocol = 0; else { new_len += 4; + if (new_len > org_len) { + android_errorWriteLog(0x534e4554, "74947856"); + return BNEP_IGNORE_CMD; + } p_data[2] = 0; p_data[3] = 0; } @@ -479,6 +484,10 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr, protocol = 0; else { new_len += 4; + if (new_len > org_len) { + android_errorWriteLog(0x534e4554, "74947856"); + return BNEP_IGNORE_CMD; + } p_data[2] = 0; p_data[3] = 0; } diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc index f621fdb64..463fca33b 100644 --- a/stack/bnep/bnep_main.cc +++ b/stack/bnep/bnep_main.cc @@ -607,7 +607,6 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) { if (bnep_cb.p_data_buf_cb) { (*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol, p_buf, fw_ext_present); - osi_free(p_buf); } else if (bnep_cb.p_data_ind_cb) { (*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol, p, rem_len, fw_ext_present); diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc index 3af986639..f9e8f537f 100644 --- a/stack/gatt/gatt_sr.cc +++ b/stack/gatt/gatt_sr.cc @@ -22,6 +22,7 @@ * ******************************************************************************/ +#include <log/log.h> #include "bt_target.h" #include "bt_utils.h" #include "osi/include/osi.h" @@ -281,8 +282,8 @@ tGATT_STATUS gatt_sr_process_app_rsp(tGATT_TCB& tcb, tGATT_IF gatt_if, * Returns void * ******************************************************************************/ -void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, - UNUSED_ATTR uint16_t len, uint8_t* p_data) { +void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, uint16_t len, + uint8_t* p_data) { uint8_t *p = p_data, flag, i = 0; uint32_t trans_id = 0; tGATT_IF gatt_if; @@ -301,6 +302,13 @@ void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, } #endif + if (len < sizeof(flag)) { + android_errorWriteLog(0x534e4554, "73172115"); + LOG(ERROR) << __func__ << "invalid length"; + gatt_send_error_rsp(tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false); + return; + } + STREAM_TO_UINT8(flag, p); /* mask the flag */ @@ -780,7 +788,8 @@ static void gatts_process_mtu_req(tGATT_TCB& tcb, uint16_t len, void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint8_t op_code, uint16_t len, uint8_t* p_data) { tBT_UUID uuid; - uint16_t s_hdl, e_hdl, err_hdl = 0; + uint16_t s_hdl = 0, e_hdl = 0, err_hdl = 0; + if (len < 4) android_errorWriteLog(0x534e4554, "73125709"); tGATT_STATUS reason = gatts_validate_packet_format(op_code, len, p_data, &uuid, s_hdl, e_hdl); @@ -940,9 +949,19 @@ void gatts_process_write_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el, */ static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el, uint8_t op_code, uint16_t handle, - UNUSED_ATTR uint16_t len, uint8_t* p_data) { + uint16_t len, uint8_t* p_data) { size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET; uint16_t offset = 0; + + if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) { + /* Error: packet length is too short */ + LOG(ERROR) << __func__ << ": packet length=" << len + << " too short. min=" << sizeof(uint16_t); + android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0); + gatt_send_error_rsp(tcb, GATT_INVALID_PDU, op_code, 0, false); + return; + } + BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len); if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data); @@ -964,7 +983,7 @@ static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el, if (reason != GATT_SUCCESS) { osi_free(p_msg); - /* in theroy BUSY is not possible(should already been checked), protected + /* in theory BUSY is not possible(should already been checked), protected * check */ if (reason != GATT_PENDING && reason != GATT_BUSY) gatt_send_error_rsp(tcb, reason, op_code, handle, false); diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc index 6c7820f66..17ce2d305 100644 --- a/stack/l2cap/l2c_ble.cc +++ b/stack/l2cap/l2c_ble.cc @@ -33,6 +33,7 @@ #include "hcimsgs.h" #include "l2c_int.h" #include "l2cdefs.h" +#include "log/log.h" #include "osi/include/osi.h" #include "stack_config.h" @@ -788,6 +789,10 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_DISC_REQ: + if (p + 4 > p_pkt_end) { + android_errorWriteLog(0x534e4554, "74121659"); + return; + } STREAM_TO_UINT16(lcid, p); STREAM_TO_UINT16(rcid, p); diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc index 0e5a84a50..9c2742f56 100644 --- a/stack/l2cap/l2c_fcr.cc +++ b/stack/l2cap/l2c_fcr.cc @@ -24,6 +24,7 @@ ******************************************************************************/ #include <base/logging.h> +#include <log/log.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -855,8 +856,24 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { p_buf->offset += sizeof(sdu_length); p_data->offset = 0; - } else + } else { p_data = p_ccb->ble_sdu; + if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) { + L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped", + __func__, p_data->len, + (p_ccb->ble_sdu_length - p_data->len)); + android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0); + osi_free(p_buf); + + /* Throw away all pending fragments and disconnects */ + p_ccb->is_first_seg = true; + osi_free(p_ccb->ble_sdu); + p_ccb->ble_sdu = NULL; + p_ccb->ble_sdu_length = 0; + l2cu_disconnect_chnl(p_ccb); + return; + } + } memcpy((uint8_t*)(p_data + 1) + p_data->offset + p_data->len, (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len); @@ -869,9 +886,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { p_ccb->ble_sdu_length = 0; } else if (p_data->len < p_ccb->ble_sdu_length) { p_ccb->is_first_seg = false; - } else { - L2CAP_TRACE_ERROR("%s Length in the SDU messed up", __func__); - // TODO: reset every thing may be??? } osi_free(p_buf); diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc index 83d1737bc..7c1ef4837 100644 --- a/stack/l2cap/l2c_main.cc +++ b/stack/l2cap/l2c_main.cc @@ -320,8 +320,16 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { switch (cmd_code) { case L2CAP_CMD_REJECT: + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(rej_reason, p); if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED) { + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(rej_mtu, p); /* What to do with the MTU reject ? We have negotiated an MTU. For now */ @@ -332,6 +340,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { p_lcb->handle, rej_mtu); } if (rej_reason == L2CAP_CMD_REJ_INVALID_CID) { + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(rcid, p); STREAM_TO_UINT16(lcid, p); @@ -365,6 +377,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_CONN_REQ: + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(con_info.psm, p); STREAM_TO_UINT16(rcid, p); p_rcb = l2cu_find_rcb_by_psm(con_info.psm); @@ -396,6 +412,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_CONN_RSP: + if (p + 8 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(con_info.remote_cid, p); STREAM_TO_UINT16(lcid, p); STREAM_TO_UINT16(con_info.l2cap_result, p); @@ -427,6 +447,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { cfg_rej = false; cfg_rej_len = 0; + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(lcid, p); STREAM_TO_UINT16(cfg_info.flags, p); @@ -437,22 +461,38 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { false; while (p < p_cfg_end) { + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_code, p); STREAM_TO_UINT8(cfg_len, p); switch (cfg_code & 0x7F) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = true; + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.mtu, p); break; case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = true; + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.flush_to, p); break; case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = true; + if (p + 2 + 5 * 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); STREAM_TO_UINT8(cfg_info.qos.service_type, p); STREAM_TO_UINT32(cfg_info.qos.token_rate, p); @@ -464,6 +504,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = true; + if (p + 3 + 3 * 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcr.mode, p); STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); @@ -474,11 +518,19 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = true; + if (p + 1 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcs, p); break; case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = true; + if (p + 2 + 2 + 3 * 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); @@ -523,6 +575,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CMD_CONFIG_RSP: p_cfg_end = p + cmd_len; + if (p + 6 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(lcid, p); STREAM_TO_UINT16(cfg_info.flags, p); STREAM_TO_UINT16(cfg_info.result, p); @@ -532,22 +588,38 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { false; while (p < p_cfg_end) { + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_code, p); STREAM_TO_UINT8(cfg_len, p); switch (cfg_code & 0x7F) { case L2CAP_CFG_TYPE_MTU: cfg_info.mtu_present = true; + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.mtu, p); break; case L2CAP_CFG_TYPE_FLUSH_TOUT: cfg_info.flush_to_present = true; + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(cfg_info.flush_to, p); break; case L2CAP_CFG_TYPE_QOS: cfg_info.qos_present = true; + if (p + 2 + 5 * 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.qos.qos_flags, p); STREAM_TO_UINT8(cfg_info.qos.service_type, p); STREAM_TO_UINT32(cfg_info.qos.token_rate, p); @@ -559,6 +631,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCR: cfg_info.fcr_present = true; + if (p + 3 + 3 * 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcr.mode, p); STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p); STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p); @@ -569,11 +645,19 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CFG_TYPE_FCS: cfg_info.fcs_present = true; + if (p + 1 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.fcs, p); break; case L2CAP_CFG_TYPE_EXT_FLOW: cfg_info.ext_flow_spec_present = true; + if (p + 2 + 2 + 3 * 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p); STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p); STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p); @@ -603,6 +687,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_DISC_REQ: + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(lcid, p); STREAM_TO_UINT16(rcid, p); @@ -618,6 +706,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_DISC_RSP: + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(rcid, p); STREAM_TO_UINT16(lcid, p); @@ -645,6 +737,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { break; case L2CAP_CMD_INFO_REQ: + if (p + 2 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(info_type, p); l2cu_send_peer_info_rsp(p_lcb, id, info_type); break; @@ -656,6 +752,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { p_lcb->w4_info_rsp = false; } + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT16(info_type, p); STREAM_TO_UINT16(result, p); @@ -663,6 +763,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) && (result == L2CAP_INFO_RESP_RESULT_SUCCESS)) { + if (p + 4 > p_next_cmd) { + android_errorWriteLog(0x534e4554, "74202041"); + return; + } STREAM_TO_UINT32(p_lcb->peer_ext_fea, p); #if (L2CAP_NUM_FIXED_CHNLS > 0) diff --git a/stack/pan/pan_main.cc b/stack/pan/pan_main.cc index d7cd27b07..6a554231f 100644 --- a/stack/pan/pan_main.cc +++ b/stack/pan/pan_main.cc @@ -595,12 +595,11 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src, if (pan_cb.pan_data_buf_ind_cb) (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext, forward); - else if (pan_cb.pan_data_ind_cb) { + else if (pan_cb.pan_data_ind_cb) (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext, forward); - osi_free(p_buf); - } + osi_free(p_buf); return; } @@ -625,13 +624,10 @@ void pan_data_buf_ind_cb(uint16_t handle, const RawAddress& src, if (pan_cb.pan_data_buf_ind_cb) (*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext, forward); - else if (pan_cb.pan_data_ind_cb) { + else if (pan_cb.pan_data_ind_cb) (*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext, forward); - osi_free(p_buf); - } else - osi_free(p_buf); - + osi_free(p_buf); return; } diff --git a/stack/smp/p_256_ecc_pp.cc b/stack/smp/p_256_ecc_pp.cc index b416e1d3f..911dc5498 100644 --- a/stack/smp/p_256_ecc_pp.cc +++ b/stack/smp/p_256_ecc_pp.cc @@ -245,3 +245,25 @@ void ECC_PointMult_Bin_NAF(Point* q, Point* p, uint32_t* n, multiprecision_mersenns_mult_mod(q->z, q->z, minus_p.x, keyLength); multiprecision_mersenns_mult_mod(q->y, q->y, q->z, keyLength); } + +bool ECC_ValidatePoint(const Point& pt) { + const size_t kl = KEY_LENGTH_DWORDS_P256; + p_256_init_curve(kl); + + // Ensure y^2 = x^3 + a*x + b (mod p); a = -3 + + // y^2 mod p + uint32_t y2_mod[kl] = {0}; + multiprecision_mersenns_squa_mod(y2_mod, (uint32_t*)pt.y, kl); + + // Right hand side calculation + uint32_t rhs[kl] = {0}; + multiprecision_mersenns_squa_mod(rhs, (uint32_t*)pt.x, kl); + uint32_t three[kl] = {0}; + three[0] = 3; + multiprecision_sub_mod(rhs, rhs, three, kl); + multiprecision_mersenns_mult_mod(rhs, rhs, (uint32_t*)pt.x, kl); + multiprecision_add_mod(rhs, rhs, curve_p256.b, kl); + + return multiprecision_compare(rhs, y2_mod, kl) == 0; +} diff --git a/stack/smp/p_256_ecc_pp.h b/stack/smp/p_256_ecc_pp.h index dcc4211dc..b7a8e0066 100644 --- a/stack/smp/p_256_ecc_pp.h +++ b/stack/smp/p_256_ecc_pp.h @@ -25,6 +25,7 @@ #pragma once +#include <cstdbool> #include "p_256_multprecision.h" typedef struct { @@ -55,6 +56,8 @@ typedef struct { extern elliptic_curve_t curve; extern elliptic_curve_t curve_p256; +bool ECC_ValidatePoint(const Point& p); + void ECC_PointMult_Bin_NAF(Point* q, Point* p, uint32_t* n, uint32_t keyLength); #define ECC_PointMult(q, p, n, keyLength) \ diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc index df9fab9f1..2103776df 100644 --- a/stack/smp/smp_act.cc +++ b/stack/smp/smp_act.cc @@ -22,6 +22,7 @@ #include "include/bt_target.h" #include "stack/btm/btm_int.h" #include "stack/include/l2c_api.h" +#include "stack/smp/p_256_ecc_pp.h" #include "stack/smp/smp_int.h" #include "utils/include/bt_utils.h" @@ -655,6 +656,17 @@ void smp_process_pairing_public_key(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN); STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN); + + Point pt; + memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN); + memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN); + + if (!ECC_ValidatePoint(pt)) { + android_errorWriteLog(0x534e4554, "72377774"); + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); + return; + } + p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY; smp_wait_for_both_public_keys(p_cb, NULL); diff --git a/stack/smp/smp_main.cc b/stack/smp/smp_main.cc index 829a5d48f..49e2ece7b 100644 --- a/stack/smp/smp_main.cc +++ b/stack/smp/smp_main.cc @@ -18,6 +18,7 @@ #include "bt_target.h" +#include <cutils/log.h> #include <string.h> #include "smp_int.h" @@ -954,6 +955,13 @@ void smp_sm_event(tSMP_CB* p_cb, tSMP_EVENT event, void* p_data) { uint8_t curr_state = p_cb->state; tSMP_SM_TBL state_table; uint8_t action, entry, i; + + if (p_cb->role >= 2) { + SMP_TRACE_DEBUG("Invalid role: %d", p_cb->role); + android_errorWriteLog(0x534e4554, "74121126"); + return; + } + tSMP_ENTRY_TBL entry_table = smp_entry_table[p_cb->role]; SMP_TRACE_EVENT("main smp_sm_event"); |