diff options
| author | android-build-team Robot <android-build-team-robot@google.com> | 2018-11-15 18:21:19 +0000 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-11-15 18:21:19 +0000 |
| commit | eea3466eeae0377eca78fdbded598be97228674c (patch) | |
| tree | 7b42d52c0e38a254f92b9ccbd8d0f9e3d9bf5fbe | |
| parent | b8da9c304f53d4a254638c9b70a40c111e0ed685 (diff) | |
| parent | 94d718eb61cbb1e6fd08288039d7e62913735c6c (diff) | |
| download | bt-pie-qpr1-release.tar.gz | |
Merge cherrypicks of [5532243, 5532244, 5532245, 5532246, 5532247, 5532826, 5530552, 5532902, 5530553, 5531520, 5532903, 5530554, 5529581, 5529582, 5531521, 5532979, 5532999, 5532248, 5531522, 5531523, 5531524, 5531525, 5531526, 5529583, 5529584, 5529585, 5529586, 5531351, 5529632, 5530506, 5530507, 5532980, 5533000] into pi-qpr1-releaseandroid-9.0.0_r30pie-qpr1-release
Change-Id: Iec1d9c99fe3d220ff9dfed33550a1b1b597f8ee8
| -rw-r--r-- | bta/ag/bta_ag_act.cc | 2 | ||||
| -rw-r--r-- | bta/ag/bta_ag_at.cc | 15 | ||||
| -rw-r--r-- | bta/ag/bta_ag_at.h | 2 | ||||
| -rw-r--r-- | bta/ag/bta_ag_cmd.cc | 47 | ||||
| -rw-r--r-- | bta/ag/bta_ag_int.h | 6 | ||||
| -rw-r--r-- | bta/hh/bta_hh_act.cc | 7 | ||||
| -rw-r--r-- | stack/avdt/avdt_scb_act.cc | 67 | ||||
| -rw-r--r-- | stack/mcap/mca_cact.cc | 17 | ||||
| -rw-r--r-- | stack/sdp/sdp_discovery.cc | 34 |
9 files changed, 156 insertions, 41 deletions
diff --git a/bta/ag/bta_ag_act.cc b/bta/ag/bta_ag_act.cc index 84860f94b..eb989eb08 100644 --- a/bta/ag/bta_ag_act.cc +++ b/bta/ag/bta_ag_act.cc @@ -58,7 +58,7 @@ const tBTA_SERVICE_MASK bta_ag_svc_mask[BTA_AG_NUM_IDX] = { BTA_HSP_SERVICE_MASK, BTA_HFP_SERVICE_MASK}; typedef void (*tBTA_AG_ATCMD_CBACK)(tBTA_AG_SCB* p_scb, uint16_t cmd, - uint8_t arg_type, char* p_arg, + uint8_t arg_type, char* p_arg, char* p_end, int16_t int_arg); const tBTA_AG_ATCMD_CBACK bta_ag_at_cback_tbl[BTA_AG_NUM_IDX] = { diff --git a/bta/ag/bta_ag_at.cc b/bta/ag/bta_ag_at.cc index ecd9053c6..90c46ff4a 100644 --- a/bta/ag/bta_ag_at.cc +++ b/bta/ag/bta_ag_at.cc @@ -26,6 +26,7 @@ #include "bt_common.h" #include "bta_ag_at.h" +#include "log/log.h" #include "utl.h" /***************************************************************************** @@ -76,7 +77,7 @@ void bta_ag_at_reinit(tBTA_AG_AT_CB* p_cb) { * Returns void * *****************************************************************************/ -void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) { +void bta_ag_process_at(tBTA_AG_AT_CB* p_cb, char* p_end) { uint16_t idx; uint8_t arg_type; char* p_arg; @@ -92,6 +93,11 @@ void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) { if (p_cb->p_at_tbl[idx].p_cmd[0] != 0) { /* start of argument is p + strlen matching command */ p_arg = p_cb->p_cmd_buf + strlen(p_cb->p_at_tbl[idx].p_cmd); + if (p_arg > p_end) { + (*p_cb->p_err_cback)((tBTA_AG_SCB*)p_cb->p_user, false, nullptr); + android_errorWriteLog(0x534e4554, "112860487"); + return; + } /* if no argument */ if (p_arg[0] == 0) { @@ -133,12 +139,12 @@ void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) { } else { (*p_cb->p_cmd_cback)((tBTA_AG_SCB*)p_cb->p_user, p_cb->p_at_tbl[idx].command_id, arg_type, p_arg, - int_arg); + p_end, int_arg); } } else { (*p_cb->p_cmd_cback)((tBTA_AG_SCB*)p_cb->p_user, p_cb->p_at_tbl[idx].command_id, arg_type, p_arg, - int_arg); + p_end, int_arg); } } /* else error */ @@ -189,8 +195,9 @@ void bta_ag_at_parse(tBTA_AG_AT_CB* p_cb, char* p_buf, uint16_t len) { (p_cb->p_cmd_buf[0] == 'A' || p_cb->p_cmd_buf[0] == 'a') && (p_cb->p_cmd_buf[1] == 'T' || p_cb->p_cmd_buf[1] == 't')) { p_save = p_cb->p_cmd_buf; + char* p_end = p_cb->p_cmd_buf + p_cb->cmd_pos; p_cb->p_cmd_buf += 2; - bta_ag_process_at(p_cb); + bta_ag_process_at(p_cb, p_end); p_cb->p_cmd_buf = p_save; } diff --git a/bta/ag/bta_ag_at.h b/bta/ag/bta_ag_at.h index f36e2f265..c5b5d885c 100644 --- a/bta/ag/bta_ag_at.h +++ b/bta/ag/bta_ag_at.h @@ -56,7 +56,7 @@ typedef struct { /* callback function executed when command is parsed */ struct tBTA_AG_SCB; typedef void(tBTA_AG_AT_CMD_CBACK)(tBTA_AG_SCB* p_user, uint16_t command_id, - uint8_t arg_type, char* p_arg, + uint8_t arg_type, char* p_arg, char* p_end, int16_t int_arg); /* callback function executed to send "ERROR" result code */ diff --git a/bta/ag/bta_ag_cmd.cc b/bta/ag/bta_ag_cmd.cc index b9cf30666..248991570 100644 --- a/bta/ag/bta_ag_cmd.cc +++ b/bta/ag/bta_ag_cmd.cc @@ -30,6 +30,7 @@ #include "bta_ag_int.h" #include "bta_api.h" #include "bta_sys.h" +#include "log/log.h" #include "osi/include/log.h" #include "osi/include/osi.h" #include "port_api.h" @@ -376,23 +377,23 @@ static void bta_ag_send_ind(tBTA_AG_SCB* p_scb, uint16_t id, uint16_t value, * Returns true if parsed ok, false otherwise. * ******************************************************************************/ -static bool bta_ag_parse_cmer(char* p_s, bool* p_enabled) { +static bool bta_ag_parse_cmer(char* p_s, char* p_end, bool* p_enabled) { int16_t n[4] = {-1, -1, -1, -1}; int i; char* p; - for (i = 0; i < 4; i++) { + for (i = 0; i < 4; i++, p_s = p + 1) { /* skip to comma delimiter */ - for (p = p_s; *p != ',' && *p != 0; p++) + for (p = p_s; p < p_end && *p != ',' && *p != 0; p++) ; /* get integer value */ + if (p > p_end) { + android_errorWriteLog(0x534e4554, "112860487"); + return false; + } *p = 0; n[i] = utl_str2int(p_s); - p_s = p + 1; - if (p_s == nullptr) { - break; - } } /* process values */ @@ -449,17 +450,22 @@ static uint8_t bta_ag_parse_chld(UNUSED_ATTR tBTA_AG_SCB* p_scb, char* p_s) { * Returns Returns bitmap of supported codecs. * ******************************************************************************/ -static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB* p_scb, char* p_s) { +static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB* p_scb, char* p_s, + char* p_end) { tBTA_AG_PEER_CODEC retval = BTA_AG_CODEC_NONE; uint16_t uuid_codec; char* p; while (p_s) { /* skip to comma delimiter */ - for (p = p_s; *p != ',' && *p != 0; p++) + for (p = p_s; p < p_end && *p != ',' && *p != 0; p++) ; /* get integer value */ + if (p > p_end) { + android_errorWriteLog(0x534e4554, "112860487"); + break; + } bool cont = false; // Continue processing if (*p != 0) { *p = 0; @@ -584,7 +590,8 @@ void bta_ag_send_call_inds(tBTA_AG_SCB* p_scb, tBTA_AG_RES result) { * ******************************************************************************/ void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t command_id, - uint8_t arg_type, char* p_arg, int16_t int_arg) { + uint8_t arg_type, char* p_arg, char* p_end, + int16_t int_arg) { APPL_TRACE_DEBUG("AT cmd:%d arg_type:%d arg:%d arg:%s", command_id, arg_type, int_arg, p_arg); @@ -594,6 +601,13 @@ void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t command_id, val.hdr.handle = bta_ag_scb_to_idx(p_scb); val.hdr.app_id = p_scb->app_id; val.num = (uint16_t)int_arg; + + if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) { + APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__); + bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG); + android_errorWriteLog(0x534e4554, "112860487"); + return; + } strlcpy(val.str, p_arg, sizeof(val.str)); /* call callback with event */ @@ -824,7 +838,7 @@ static bool bta_ag_parse_biev_response(tBTA_AG_SCB* p_scb, tBTA_AG_VAL* val) { * ******************************************************************************/ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type, - char* p_arg, int16_t int_arg) { + char* p_arg, char* p_end, int16_t int_arg) { tBTA_AG_VAL val = {}; tBTA_AG_SCB* ag_scb; uint32_t i, ind_id; @@ -843,6 +857,13 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type, val.hdr.status = BTA_AG_SUCCESS; val.num = static_cast<uint32_t>(int_arg); val.bd_addr = p_scb->peer_addr; + + if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) { + APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__); + bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG); + android_errorWriteLog(0x534e4554, "112860487"); + return; + } strlcpy(val.str, p_arg, sizeof(val.str)); /** @@ -1023,7 +1044,7 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type, case BTA_AG_LOCAL_EVT_CMER: /* if parsed ok store setting, send OK */ - if (bta_ag_parse_cmer(p_arg, &p_scb->cmer_enabled)) { + if (bta_ag_parse_cmer(p_arg, p_end, &p_scb->cmer_enabled)) { bta_ag_send_ok(p_scb); /* if service level conn. not already open and our features and @@ -1191,7 +1212,7 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type, /* store available codecs from the peer */ if ((p_scb->peer_features & BTA_AG_PEER_FEAT_CODEC) && (p_scb->features & BTA_AG_FEAT_CODEC)) { - p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg); + p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg, p_end); p_scb->codec_updated = true; if (p_scb->peer_codecs & BTA_AG_CODEC_MSBC) { diff --git a/bta/ag/bta_ag_int.h b/bta/ag/bta_ag_int.h index c6b323096..63934506a 100644 --- a/bta/ag/bta_ag_int.h +++ b/bta/ag/bta_ag_int.h @@ -344,9 +344,11 @@ extern void bta_ag_sco_conn_rsp(tBTA_AG_SCB* p_scb, /* AT command functions */ extern void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, - uint8_t arg_type, char* p_arg, int16_t int_arg); + uint8_t arg_type, char* p_arg, char* p_end, + int16_t int_arg); extern void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, - uint8_t arg_type, char* p_arg, int16_t int_arg); + uint8_t arg_type, char* p_arg, char* p_end, + int16_t int_arg); extern void bta_ag_at_err_cback(tBTA_AG_SCB* p_scb, bool unknown, const char* p_arg); extern bool bta_ag_inband_enabled(tBTA_AG_SCB* p_scb); diff --git a/bta/hh/bta_hh_act.cc b/bta/hh/bta_hh_act.cc index 4d85437c6..a7bdc9c76 100644 --- a/bta/hh/bta_hh_act.cc +++ b/bta/hh/bta_hh_act.cc @@ -26,6 +26,7 @@ #if (BTA_HH_INCLUDED == TRUE) +#include <log/log.h> #include <string.h> #include "bta_hh_co.h" @@ -717,6 +718,12 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, tBTA_HH_DATA* p_data) { APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]", bta_hh_get_w4_event(p_cb->w4_evt)); #endif + if (pdata->len == 0) { + android_errorWriteLog(0x534e4554, "116108738"); + p_cb->w4_evt = 0; + osi_free_and_reset((void**)&pdata); + return; + } hs_data.status = BTA_HH_OK; hs_data.handle = p_cb->hid_handle; diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc index d55a22e70..9ff926509 100644 --- a/stack/avdt/avdt_scb_act.cc +++ b/stack/avdt/avdt_scb_act.cc @@ -23,6 +23,7 @@ * ******************************************************************************/ +#include <cutils/log.h> #include <string.h> #include "a2dp_codec_api.h" #include "avdt_api.h" @@ -230,10 +231,14 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { uint16_t offset; uint16_t ex_len; uint8_t pad_len = 0; + uint16_t len = p_data->p_pkt->len; p = p_start = (uint8_t*)(p_data->p_pkt + 1) + p_data->p_pkt->offset; /* parse media packet header */ + offset = 12; + // AVDT_MSG_PRS_OCTET1(1) + AVDT_MSG_PRS_M_PT(1) + UINT16(2) + UINT32(4) + 4 + if (offset > len) goto length_error; AVDT_MSG_PRS_OCTET1(p, o_v, o_p, o_x, o_cc); AVDT_MSG_PRS_M_PT(p, m_pt, marker); BE_STREAM_TO_UINT16(seq, p); @@ -241,18 +246,19 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { p += 4; /* skip over any csrc's in packet */ + offset += o_cc * 4; p += o_cc * 4; /* check for and skip over extension header */ if (o_x) { + offset += 4; + if (offset > len) goto length_error; p += 2; BE_STREAM_TO_UINT16(ex_len, p); + offset += ex_len * 4; p += ex_len * 4; } - /* save our new offset */ - offset = (uint16_t)(p - p_start); - /* adjust length for any padding at end of packet */ if (o_p) { /* padding length in last byte of packet */ @@ -280,6 +286,12 @@ void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data) { osi_free_and_reset((void**)&p_data->p_pkt); } } + return; +length_error: + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING("%s: hdl packet length %d too short: must be at least %d", + __func__, len, offset); + osi_free_and_reset((void**)&p_data->p_pkt); } /******************************************************************************* @@ -296,12 +308,21 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { uint8_t* p_start = p; uint32_t ssrc; uint8_t o_v, o_p, o_cc; + uint16_t min_len = 0; AVDT_REPORT_TYPE pt; tAVDT_REPORT_DATA report; AVDT_TRACE_DEBUG("%s", __func__); if (p_scb->stream_config.p_report_cback) { /* parse report packet header */ + min_len += 8; + if (min_len > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", __func__, + len, min_len); + goto avdt_scb_hdl_report_exit; + } AVDT_MSG_PRS_RPT_OCTET1(p, o_v, o_p, o_cc); pt = *p++; p += 2; @@ -309,6 +330,14 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { switch (pt) { case AVDT_RTCP_PT_SR: /* the packet type - SR (Sender Report) */ + min_len += 20; + if (min_len > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", + __func__, len, min_len); + goto avdt_scb_hdl_report_exit; + } BE_STREAM_TO_UINT32(report.sr.ntp_sec, p); BE_STREAM_TO_UINT32(report.sr.ntp_frac, p); BE_STREAM_TO_UINT32(report.sr.rtp_time, p); @@ -317,6 +346,14 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { break; case AVDT_RTCP_PT_RR: /* the packet type - RR (Receiver Report) */ + min_len += 20; + if (min_len > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", + __func__, len, min_len); + goto avdt_scb_hdl_report_exit; + } report.rr.frag_lost = *p; BE_STREAM_TO_UINT32(report.rr.packet_lost, p); report.rr.packet_lost &= 0xFFFFFF; @@ -328,9 +365,25 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { case AVDT_RTCP_PT_SDES: /* the packet type - SDES (Source Description) */ uint8_t sdes_type; + min_len += 1; + if (min_len > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", + __func__, len, min_len); + goto avdt_scb_hdl_report_exit; + } BE_STREAM_TO_UINT8(sdes_type, p); if (sdes_type == AVDT_RTCP_SDES_CNAME) { uint8_t name_length; + min_len += 1; + if (min_len > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", + __func__, len, min_len); + goto avdt_scb_hdl_report_exit; + } BE_STREAM_TO_UINT8(name_length, p); if (name_length > len - 2 || name_length > AVDT_MAX_CNAME_SIZE) { result = AVDT_BAD_PARAMS; @@ -338,6 +391,13 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { BE_STREAM_TO_ARRAY(p, &(report.cname[0]), name_length); } } else { + if (min_len + 1 > len) { + android_errorWriteLog(0x534e4554, "111450156"); + AVDT_TRACE_WARNING( + "%s: hdl packet length %d too short: must be at least %d", + __func__, len, min_len); + goto avdt_scb_hdl_report_exit; + } AVDT_TRACE_WARNING(" - SDES SSRC=0x%08x sc=%d %d len=%d %s", ssrc, o_cc, *p, *(p + 1), p + 2); result = AVDT_BUSY; @@ -353,6 +413,7 @@ uint8_t* avdt_scb_hdl_report(AvdtpScb* p_scb, uint8_t* p, uint16_t len) { (*p_scb->stream_config.p_report_cback)(avdt_scb_to_hdl(p_scb), pt, &report); } +avdt_scb_hdl_report_exit: p_start += len; return p_start; } diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc index 98a368852..45159ca5c 100644 --- a/stack/mcap/mca_cact.cc +++ b/stack/mcap/mca_cact.cc @@ -449,12 +449,23 @@ void mca_ccb_hdl_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { tMCA_RESULT result = MCA_BAD_HANDLE; tMCA_TC_TBL* p_tbl; - if (p_ccb->p_tx_req) { + if (p_pkt->len < sizeof(evt_data.hdr.op_code) + + sizeof(evt_data.rsp.rsp_code) + + sizeof(evt_data.hdr.mdl_id)) { + android_errorWriteLog(0x534e4554, "116319076"); + MCA_TRACE_ERROR("%s: Response packet is too short", __func__); + } else if (p_ccb->p_tx_req) { /* verify that the received response matches the sent request */ p = (uint8_t*)(p_pkt + 1) + p_pkt->offset; evt_data.hdr.op_code = *p++; - if ((evt_data.hdr.op_code == 0) || - ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) { + if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) && + (p_pkt->len < + sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) + + sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg))) { + android_errorWriteLog(0x534e4554, "116319076"); + MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__); + } else if ((evt_data.hdr.op_code == 0) || + ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) { evt_data.rsp.rsp_code = *p++; mca_stop_timer(p_ccb); BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc index 95f55bf36..1ca2ad3ed 100644 --- a/stack/sdp/sdp_discovery.cc +++ b/stack/sdp/sdp_discovery.cc @@ -55,7 +55,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end); static tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& p_bda); -static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, +static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db, tSDP_DISC_REC* p_rec, uint16_t attr_id, tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level); @@ -770,7 +770,7 @@ static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end) { BE_STREAM_TO_UINT16(attr_id, p); /* Now, add the attribute value */ - p = add_attr(p, p_ccb->p_db, p_rec, attr_id, NULL, 0); + p = add_attr(p, p_seq_end, p_ccb->p_db, p_rec, attr_id, NULL, 0); if (!p) { SDP_TRACE_WARNING("SDP - DB full add_attr"); @@ -830,7 +830,7 @@ tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& p_bda) { * Returns pointer to next byte in data stream * ******************************************************************************/ -static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, +static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db, tSDP_DISC_REC* p_rec, uint16_t attr_id, tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level) { tSDP_DISC_ATTR* p_attr; @@ -839,7 +839,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, uint16_t attr_type; uint16_t id; uint8_t type; - uint8_t* p_end; + uint8_t* p_attr_end; uint8_t is_additional_list = nest_level & SDP_ADDITIONAL_LIST_MASK; nest_level &= ~(SDP_ADDITIONAL_LIST_MASK); @@ -856,6 +856,13 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, else total_len = sizeof(tSDP_DISC_ATTR); + p_attr_end = p + attr_len; + if (p_attr_end > p_end) { + android_errorWriteLog(0x534e4554, "115900043"); + SDP_TRACE_WARNING("%s: SDP - Attribute length beyond p_end", __func__); + return NULL; + } + /* Ensure it is a multiple of 4 */ total_len = (total_len + 3) & ~3; @@ -879,18 +886,17 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, * sub-attributes */ p_db->p_free_mem += sizeof(tSDP_DISC_ATTR); p_db->mem_free -= sizeof(tSDP_DISC_ATTR); - p_end = p + attr_len; total_len = 0; /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d(list)", nest_level); */ if (nest_level >= MAX_NEST_LEVELS) { SDP_TRACE_ERROR("SDP - attr nesting too deep"); - return (p_end); + return p_attr_end; } /* Now, add the list entry */ - p = add_attr(p, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, p_attr, - (uint8_t)(nest_level + 1)); + p = add_attr(p, p_end, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, + p_attr, (uint8_t)(nest_level + 1)); break; } @@ -949,7 +955,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, break; default: SDP_TRACE_WARNING("SDP - bad len in UUID attr: %d", attr_len); - return (p + attr_len); + return p_attr_end; } break; @@ -959,22 +965,22 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, * sub-attributes */ p_db->p_free_mem += sizeof(tSDP_DISC_ATTR); p_db->mem_free -= sizeof(tSDP_DISC_ATTR); - p_end = p + attr_len; total_len = 0; /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d", nest_level); */ if (nest_level >= MAX_NEST_LEVELS) { SDP_TRACE_ERROR("SDP - attr nesting too deep"); - return (p_end); + return p_attr_end; } if (is_additional_list != 0 || attr_id == ATTR_ID_ADDITION_PROTO_DESC_LISTS) nest_level |= SDP_ADDITIONAL_LIST_MASK; /* SDP_TRACE_DEBUG ("SDP - attr nest level:0x%x(finish)", nest_level); */ - while (p < p_end) { + while (p < p_attr_end) { /* Now, add the list entry */ - p = add_attr(p, p_db, p_rec, 0, p_attr, (uint8_t)(nest_level + 1)); + p = add_attr(p, p_end, p_db, p_rec, 0, p_attr, + (uint8_t)(nest_level + 1)); if (!p) return (NULL); } @@ -992,7 +998,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, break; default: SDP_TRACE_WARNING("SDP - bad len in boolean attr: %d", attr_len); - return (p + attr_len); + return p_attr_end; } break; |