diff options
| author | android-build-prod (mdb) <android-build-team-robot@google.com> | 2018-04-10 23:02:45 +0000 |
|---|---|---|
| committer | android-build-prod (mdb) <android-build-team-robot@google.com> | 2018-04-10 23:02:45 +0000 |
| commit | e1ee4fdbd5daf04b6d9e10a467164d4cd9e9075d (patch) | |
| tree | 0a9b2cb6ae5da5a626d273eb5e7d957df1a4b468 | |
| parent | 1d7aa32df8d6549263bdbcb2b33453badc682cf5 (diff) | |
| parent | cf98916401833f40c3aa5bf42dee577153ed4816 (diff) | |
| download | bt-e1ee4fdbd5daf04b6d9e10a467164d4cd9e9075d.tar.gz | |
Snap for 4711598 from cf98916401833f40c3aa5bf42dee577153ed4816 to oreo-mr1-vts-releaseandroid-vts-8.1_r9android-vts-8.1_r8android-vts-8.1_r7android-vts-8.1_r6android-vts-8.1_r5android-vts-8.1_r4android-vts-8.1_r14android-vts-8.1_r13android-vts-8.1_r12android-vts-8.1_r11android-vts-8.1_r10oreo-mr1-vts-release
Change-Id: Ieb07f325e1d74352f89c6d622ec44c1da5eef93f
| -rw-r--r-- | osi/src/config.cc | 15 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_ct.cc | 26 | ||||
| -rw-r--r-- | stack/avrc/avrc_pars_tg.cc | 12 | ||||
| -rw-r--r-- | stack/sdp/sdp_server.cc | 60 | ||||
| -rw-r--r-- | stack/sdp/sdp_utils.cc | 38 |
5 files changed, 116 insertions, 35 deletions
diff --git a/osi/src/config.cc b/osi/src/config.cc index 10197210b..fc64d4746 100644 --- a/osi/src/config.cc +++ b/osi/src/config.cc @@ -34,6 +34,7 @@ #include "osi/include/allocator.h" #include "osi/include/list.h" #include "osi/include/log.h" +#include "log/log.h" typedef struct { char* key; @@ -217,17 +218,27 @@ void config_set_string(config_t* config, const char* section, const char* key, list_append(config->sections, sec); } + std::string value_string = value; + std::string value_no_newline; + size_t newline_position = value_string.find("\n"); + if (newline_position != std::string::npos) { + android_errorWriteLog(0x534e4554, "70808273"); + value_no_newline = value_string.substr(0, newline_position); + } else { + value_no_newline = value_string; + } + for (const list_node_t* node = list_begin(sec->entries); node != list_end(sec->entries); node = list_next(node)) { entry_t* entry = static_cast<entry_t*>(list_node(node)); if (!strcmp(entry->key, key)) { osi_free(entry->value); - entry->value = osi_strdup(value); + entry->value = osi_strdup(value_no_newline.c_str()); return; } } - entry_t* entry = entry_new(key, value); + entry_t* entry = entry_new(key, value_no_newline.c_str()); list_append(sec->entries, entry); } diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc index 144c7786c..334362449 100644 --- a/stack/avrc/avrc_pars_ct.cc +++ b/stack/avrc/avrc_pars_ct.cc @@ -22,6 +22,7 @@ #include "avrc_int.h" #include "bt_common.h" #include "bt_utils.h" +#include "log/log.h" #include "osi/include/osi.h" /***************************************************************************** @@ -459,6 +460,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr); + + if (p_result->list_app_attr.num_attr > AVRC_MAX_APP_ATTR_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + p_result->list_app_attr.num_attr = AVRC_MAX_APP_ATTR_SIZE; + } + for (int xx = 0; xx < p_result->list_app_attr.num_attr; xx++) { BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p); } @@ -487,6 +494,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, p_result->get_cur_app_val.num_val * sizeof(tAVRC_APP_SETTING)); AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val); + + if (p_result->get_cur_app_val.num_val > AVRC_MAX_APP_ATTR_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE; + } + for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++) { BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p); BE_STREAM_TO_UINT8(app_sett[xx].attr_val, p); @@ -495,7 +508,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, } break; case AVRC_PDU_GET_PLAYER_APP_ATTR_TEXT: { - tAVRC_APP_SETTING_TEXT* p_setting_text; uint8_t num_attrs; if (len == 0) { @@ -503,10 +515,14 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, break; } BE_STREAM_TO_UINT8(num_attrs, p); + if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) { + num_attrs = AVRC_MAX_APP_ATTR_SIZE; + } AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_app_attr_txt.num_attr); p_result->get_app_attr_txt.num_attr = num_attrs; - p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc( + + p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( num_attrs * sizeof(tAVRC_APP_SETTING_TEXT)); for (int xx = 0; xx < num_attrs; xx++) { BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p); @@ -526,7 +542,6 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, } break; case AVRC_PDU_GET_PLAYER_APP_VALUE_TEXT: { - tAVRC_APP_SETTING_TEXT* p_setting_text; uint8_t num_vals; if (len == 0) { @@ -534,11 +549,14 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp(tAVRC_MSG_VENDOR* p_msg, break; } BE_STREAM_TO_UINT8(num_vals, p); + if (num_vals > AVRC_MAX_APP_ATTR_SIZE) { + num_vals = AVRC_MAX_APP_ATTR_SIZE; + } p_result->get_app_val_txt.num_attr = num_vals; AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr); - p_setting_text = (tAVRC_APP_SETTING_TEXT*)osi_malloc( + p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)osi_malloc( num_vals * sizeof(tAVRC_APP_SETTING_TEXT)); for (int i = 0; i < num_vals; i++) { BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p); diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc index 1ed6963a8..12b759897 100644 --- a/stack/avrc/avrc_pars_tg.cc +++ b/stack/avrc/avrc_pars_tg.cc @@ -220,6 +220,11 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg, p_result->get_app_val_txt.num_val) status = AVRC_STS_INTERNAL_ERR; else { + if (p_result->get_app_val_txt.num_val > AVRC_MAX_APP_ATTR_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + p_result->get_app_val_txt.num_val = AVRC_MAX_APP_ATTR_SIZE; + } + p_u8 = p_result->get_app_val_txt.vals; for (xx = 0; xx < p_result->get_app_val_txt.num_val; xx++) { p_u8[xx] = *p++; @@ -492,8 +497,11 @@ static tAVRC_STS avrc_pars_browsing_cmd(tAVRC_MSG_BROWSE* p_msg, BE_STREAM_TO_UINT16(p_result->search.string.str_len, p); p_result->search.string.p_str = p_buf; if (p_buf) { - if (buf_len > p_result->search.string.str_len) - buf_len = p_result->search.string.str_len; + if (p_result->search.string.str_len > buf_len) { + p_result->search.string.str_len = buf_len; + } else { + android_errorWriteLog(0x534e4554, "63146237"); + } BE_STREAM_TO_ARRAY(p, p_buf, p_result->search.string.str_len); } else { status = AVRC_STS_INTERNAL_ERR; diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc index b18f42959..e4ed60a92 100644 --- a/stack/sdp/sdp_server.cc +++ b/stack/sdp/sdp_server.cc @@ -24,7 +24,6 @@ ******************************************************************************/ #include <cutils/log.h> - #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -54,7 +53,7 @@ /******************************************************************************/ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num, uint16_t param_len, uint8_t* p_req, - UNUSED_ATTR uint8_t* p_req_end); + uint8_t* p_req_end); static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, uint16_t param_len, uint8_t* p_req, @@ -62,7 +61,7 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, uint16_t param_len, uint8_t* p_req, - UNUSED_ATTR uint8_t* p_req_end); + uint8_t* p_req_end); /******************************************************************************/ /* E R R O R T E X T S T R I N G S */ @@ -123,11 +122,25 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) { alarm_set_on_mloop(p_ccb->sdp_conn_timer, SDP_INACT_TIMEOUT_MS, sdp_conn_timer_timeout, p_ccb); + if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); + trans_num = 0; + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, + SDP_TEXT_BAD_HEADER); + } + /* The first byte in the message is the pdu type */ pdu_id = *p_req++; /* Extract the transaction number and parameter length */ BE_STREAM_TO_UINT16(trans_num, p_req); + + if (p_req + sizeof(param_len) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, + SDP_TEXT_BAD_HEADER); + } + BE_STREAM_TO_UINT16(param_len, p_req); if ((p_req + param_len) != p_req_end) { @@ -171,7 +184,7 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) { ******************************************************************************/ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num, uint16_t param_len, uint8_t* p_req, - UNUSED_ATTR uint8_t* p_req_end) { + uint8_t* p_req_end) { uint16_t max_replies, cur_handles, rem_handles, cont_offset; tSDP_UUID_SEQ uid_seq; uint8_t *p_rsp, *p_rsp_start, *p_rsp_param_len; @@ -189,15 +202,15 @@ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num, } /* Get the max replies we can send. Cap it at our max anyways. */ - BE_STREAM_TO_UINT16(max_replies, p_req); - - if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS; - - if ((!p_req) || (p_req > p_req_end)) { + if (p_req + sizeof(max_replies) + sizeof(uint8_t) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_MAX_RECORDS_LIST); return; } + BE_STREAM_TO_UINT16(max_replies, p_req); + + if (max_replies > SDP_MAX_RECORDS) max_replies = SDP_MAX_RECORDS; /* Get a list of handles that match the UUIDs given to us */ for (num_rsp_handles = 0; num_rsp_handles < max_replies;) { @@ -211,7 +224,8 @@ static void process_service_search(tCONN_CB* p_ccb, uint16_t trans_num, /* Check if this is a continuation request */ if (*p_req) { - if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) { + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(cont_offset) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return; @@ -310,15 +324,16 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, bool is_cont = false; uint16_t attr_len; - /* Extract the record handle */ - BE_STREAM_TO_UINT32(rec_handle, p_req); - - if (p_req > p_req_end) { + if (p_req + sizeof(rec_handle) + sizeof(max_list_len) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_SERV_REC_HDL, SDP_TEXT_BAD_HANDLE); return; } + /* Extract the record handle */ + BE_STREAM_TO_UINT32(rec_handle, p_req); + /* Get the max list length we can send. Cap it at MTU size minus overhead */ BE_STREAM_TO_UINT16(max_list_len, p_req); @@ -327,7 +342,8 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq); - if ((!p_req) || (!attr_seq.num_attr) || (p_req > p_req_end)) { + if ((!p_req) || (!attr_seq.num_attr) || + (p_req + sizeof(uint8_t) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); return; @@ -355,7 +371,8 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, /* Check if this is a continuation request */ if (*p_req) { - if (*p_req++ != SDP_CONTINUATION_LEN) { + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(cont_offset) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return; @@ -520,7 +537,7 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, ******************************************************************************/ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, uint16_t param_len, uint8_t* p_req, - UNUSED_ATTR uint8_t* p_req_end) { + uint8_t* p_req_end) { uint16_t max_list_len; int16_t rem_len; uint16_t len_to_send, cont_offset; @@ -537,7 +554,8 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, /* Extract the UUID sequence to search for */ p_req = sdpu_extract_uid_seq(p_req, param_len, &uid_seq); - if ((!p_req) || (!uid_seq.num_uids)) { + if ((!p_req) || (!uid_seq.num_uids) || + (p_req + sizeof(uint16_t) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_UUID_LIST); return; @@ -551,7 +569,8 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq); - if ((!p_req) || (!attr_seq.num_attr)) { + if ((!p_req) || (!attr_seq.num_attr) || + (p_req + sizeof(uint8_t) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); return; @@ -571,7 +590,8 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, /* Check if this is a continuation request */ if (*p_req) { - if (*p_req++ != SDP_CONTINUATION_LEN) { + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(uint16_t) > p_req_end)) { sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return; diff --git a/stack/sdp/sdp_utils.cc b/stack/sdp/sdp_utils.cc index 803e963c2..e6589d403 100644 --- a/stack/sdp/sdp_utils.cc +++ b/stack/sdp/sdp_utils.cc @@ -332,6 +332,8 @@ uint8_t* sdpu_extract_uid_seq(uint8_t* p, uint16_t param_len, p_seq->num_uids = 0; /* A UID sequence is composed of a bunch of UIDs. */ + if (sizeof(descr) > param_len) return (NULL); + param_len -= sizeof(descr); BE_STREAM_TO_UINT8(descr, p); type = descr >> 3; @@ -350,19 +352,25 @@ uint8_t* sdpu_extract_uid_seq(uint8_t* p, uint16_t param_len, seq_len = 16; break; case SIZE_IN_NEXT_BYTE: + if (sizeof(uint8_t) > param_len) return (NULL); + param_len -= sizeof(uint8_t); BE_STREAM_TO_UINT8(seq_len, p); break; case SIZE_IN_NEXT_WORD: + if (sizeof(uint16_t) > param_len) return (NULL); + param_len -= sizeof(uint16_t); BE_STREAM_TO_UINT16(seq_len, p); break; case SIZE_IN_NEXT_LONG: + if (sizeof(uint32_t) > param_len) return (NULL); + param_len -= sizeof(uint32_t); BE_STREAM_TO_UINT32(seq_len, p); break; default: return (NULL); } - if (seq_len >= param_len) return (NULL); + if (seq_len > param_len) return (NULL); p_seq_end = p + seq_len; @@ -385,12 +393,15 @@ uint8_t* sdpu_extract_uid_seq(uint8_t* p, uint16_t param_len, uuid_len = 16; break; case SIZE_IN_NEXT_BYTE: + if (p + sizeof(uint8_t) > p_seq_end) return NULL; BE_STREAM_TO_UINT8(uuid_len, p); break; case SIZE_IN_NEXT_WORD: + if (p + sizeof(uint16_t) > p_seq_end) return NULL; BE_STREAM_TO_UINT16(uuid_len, p); break; case SIZE_IN_NEXT_LONG: + if (p + sizeof(uint32_t) > p_seq_end) return NULL; BE_STREAM_TO_UINT32(uuid_len, p); break; default: @@ -398,7 +409,8 @@ uint8_t* sdpu_extract_uid_seq(uint8_t* p, uint16_t param_len, } /* If UUID length is valid, copy it across */ - if ((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) { + if (((uuid_len == 2) || (uuid_len == 4) || (uuid_len == 16)) && + (p + uuid_len <= p_seq_end)) { p_seq->uuid_entry[p_seq->num_uids].len = (uint16_t)uuid_len; BE_STREAM_TO_ARRAY(p, p_seq->uuid_entry[p_seq->num_uids].value, (int)uuid_len); @@ -435,30 +447,38 @@ uint8_t* sdpu_extract_attr_seq(uint8_t* p, uint16_t param_len, p_seq->num_attr = 0; /* Get attribute sequence info */ + if (param_len < sizeof(descr)) return NULL; + param_len -= sizeof(descr); BE_STREAM_TO_UINT8(descr, p); type = descr >> 3; size = descr & 7; - if (type != DATA_ELE_SEQ_DESC_TYPE) return (p); + if (type != DATA_ELE_SEQ_DESC_TYPE) return NULL; switch (size) { case SIZE_IN_NEXT_BYTE: + if (param_len < sizeof(uint8_t)) return NULL; + param_len -= sizeof(uint8_t); BE_STREAM_TO_UINT8(list_len, p); break; case SIZE_IN_NEXT_WORD: + if (param_len < sizeof(uint16_t)) return NULL; + param_len -= sizeof(uint16_t); BE_STREAM_TO_UINT16(list_len, p); break; case SIZE_IN_NEXT_LONG: + if (param_len < sizeof(uint32_t)) return NULL; + param_len -= sizeof(uint32_t); BE_STREAM_TO_UINT32(list_len, p); break; default: - return (p); + return NULL; } - if (list_len > param_len) return (p); + if (list_len > param_len) return NULL; p_end_list = p + list_len; @@ -468,7 +488,7 @@ uint8_t* sdpu_extract_attr_seq(uint8_t* p, uint16_t param_len, type = descr >> 3; size = descr & 7; - if (type != UINT_DESC_TYPE) return (p); + if (type != UINT_DESC_TYPE) return NULL; switch (size) { case SIZE_TWO_BYTES: @@ -478,20 +498,24 @@ uint8_t* sdpu_extract_attr_seq(uint8_t* p, uint16_t param_len, attr_len = 4; break; case SIZE_IN_NEXT_BYTE: + if (p + sizeof(uint8_t) > p_end_list) return NULL; BE_STREAM_TO_UINT8(attr_len, p); break; case SIZE_IN_NEXT_WORD: + if (p + sizeof(uint16_t) > p_end_list) return NULL; BE_STREAM_TO_UINT16(attr_len, p); break; case SIZE_IN_NEXT_LONG: + if (p + sizeof(uint32_t) > p_end_list) return NULL; BE_STREAM_TO_UINT32(attr_len, p); break; default: - return (NULL); + return NULL; break; } /* Attribute length must be 2-bytes or 4-bytes for a paired entry. */ + if (p + attr_len > p_end_list) return NULL; if (attr_len == 2) { BE_STREAM_TO_UINT16(p_seq->attr_entry[p_seq->num_attr].start, p); p_seq->attr_entry[p_seq->num_attr].end = |