Snap for 5063321 from 328ef81e8db4e3685330ba1ccc182f33decb2a48 to pie-cts-release
Change-Id: I346440fb45f9a9a0e1db76119f57ccbaa10a2335
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index ad3bf3d..5625f90 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -35,6 +35,7 @@
#include "bta_av_api.h"
#include "bta_av_int.h"
#include "l2c_api.h"
+#include "log/log.h"
#include "osi/include/list.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -784,11 +785,16 @@
case AVRC_PDU_GET_CAPABILITIES:
/* process GetCapabilities command without reporting the event to app */
evt = 0;
+ if (p_vendor->vendor_len != 5) {
+ android_errorWriteLog(0x534e4554, "111893951");
+ p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
+ break;
+ }
u8 = *(p_vendor->p_vendor_data + 4);
p = p_vendor->p_vendor_data + 2;
p_rc_rsp->get_caps.capability_id = u8;
BE_STREAM_TO_UINT16(u16, p);
- if ((u16 != 1) || (p_vendor->vendor_len != 5)) {
+ if (u16 != 1) {
p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
} else {
p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR;
diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index 69534e9..53c25a9 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -24,6 +24,8 @@
#include <base/logging.h>
#include <string.h>
+#include <log/log.h>
+
#include "avrc_api.h"
#include "avrc_int.h"
#include "bt_common.h"
@@ -660,6 +662,13 @@
msg.browse.browse_len = p_pkt->len;
msg.browse.p_browse_pkt = p_pkt;
} else {
+ if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+ android_errorWriteLog(0x534e4554, "111803925");
+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+ osi_free(p_pkt);
+ return;
+ }
msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -693,6 +702,15 @@
p_drop_msg = "auto respond";
} else {
/* parse response */
+ if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = true;
+ p_drop_msg = "UNIT_INFO_RSP too short";
+ break;
+ }
p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
msg.unit.unit_type =
(*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -722,6 +740,15 @@
p_drop_msg = "auto responded";
} else {
/* parse response */
+ if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+ AVRC_TRACE_WARNING(
+ "%s: message length %d too short: must be at least %d",
+ __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+ android_errorWriteLog(0x534e4554, "79883824");
+ drop = true;
+ p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+ break;
+ }
p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
msg.sub.page =
(*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 4421c91..909274d 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -479,6 +479,11 @@
break;
}
BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);
+ if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) {
+ android_errorWriteLog(0x534e4554, "78526423");
+ p_result->list_app_values.num_val = AVRC_MAX_APP_ATTR_SIZE;
+ }
+
AVRC_TRACE_DEBUG("%s value count = %d ", __func__,
p_result->list_app_values.num_val);
for (int xx = 0; xx < p_result->list_app_values.num_val; xx++) {
diff --git a/stack/include/rfcdefs.h b/stack/include/rfcdefs.h
index aba555d..ca9b3ce 100644
--- a/stack/include/rfcdefs.h
+++ b/stack/include/rfcdefs.h
@@ -89,13 +89,6 @@
(pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \
}
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \
- { \
- (ea) = (*(p_data)&RFCOMM_EA); \
- (length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1); \
- if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \
- }
-
#define RFCOMM_FRAME_IS_CMD(initiator, cr) \
(((initiator) && !(cr)) || (!(initiator) && (cr)))
diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc
index 48d0c0a..98a3688 100644
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -22,6 +22,7 @@
* Functions.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "bt_common.h"
#include "bt_target.h"
@@ -251,9 +252,15 @@
p_rx_msg = (tMCA_CCB_MSG*)p_pkt;
p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
evt_data.hdr.op_code = *p++;
- BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
reject_opcode = evt_data.hdr.op_code + 1;
+ if (p_pkt->len >= 3) {
+ BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
+ } else {
+ android_errorWriteLog(0x534e4554, "110791536");
+ evt_data.hdr.mdl_id = 0;
+ }
+
MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id);
if (p_ccb->status == MCA_CCB_STAT_PENDING) {
MCA_TRACE_DEBUG("received req inpending state");
diff --git a/stack/rfcomm/rfc_ts_frames.cc b/stack/rfcomm/rfc_ts_frames.cc
index 0c8ce09..e3b4b8f 100644
--- a/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@ -26,6 +26,7 @@
#include "bt_common.h"
#include "bt_target.h"
#include "l2c_api.h"
+#include "log/log.h"
#include "port_api.h"
#include "port_int.h"
#include "rfc_int.h"
@@ -516,7 +517,16 @@
return (RFC_EVENT_BAD_FRAME);
}
RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
- RFCOMM_PARSE_LEN_FIELD(eal, len, p_data);
+
+ eal = *(p_data)&RFCOMM_EA;
+ len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
+ if (eal == 0 && p_buf->len > RFCOMM_CTRL_FRAME_LEN) {
+ len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
+ } else if (eal == 0) {
+ RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
+ android_errorWriteLog(0x534e4554, "78288018");
+ return RFC_EVENT_BAD_FRAME;
+ }
p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
p_buf->offset += (3 + !ead + !eal);
@@ -611,6 +621,14 @@
uint8_t ea, cr, mx_len;
bool is_command;
+ if (length < 2) {
+ RFCOMM_TRACE_ERROR(
+ "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__,
+ length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
p_rx_frame->ea = *p_data & RFCOMM_EA;
p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
@@ -633,6 +651,13 @@
length--;
if (!ea) {
+ if (length < 1) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1",
+ __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
length--;
}
@@ -709,7 +734,13 @@
return;
case RFCOMM_MX_MSC:
-
+ if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
+ length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
ea = *p_data & RFCOMM_EA;
cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 365a70c..8d662b8 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -357,8 +357,15 @@
p = &p_ccb->rsp_list[0];
if (offset) {
+ cpy_len -= 1;
type = *p++;
+ uint8_t* old_p = p;
p = sdpu_get_len_from_type(p, type, &list_len);
+ if ((int)cpy_len < (p - old_p)) {
+ SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+ return;
+ }
+ cpy_len -= (p - old_p);
}
if (list_len < cpy_len) {
cpy_len = list_len;
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index be340ec..15dfae1 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -916,6 +916,15 @@
uint8_t* p = p_data->p_data;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb)) {
+ tSMP_INT_DATA smp_int_data;
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
smp_key_distribution(p_cb, NULL);
@@ -929,6 +938,14 @@
tBTM_LE_PENC_KEYS le_key;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
+ android_errorWriteLog(0x534e4554, "111937027");
+ SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
+ __func__, p_cb->rcvd_cmd_len);
+ return;
+ }
+
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
STREAM_TO_UINT16(le_key.ediv, p);
@@ -948,13 +965,22 @@
}
/*******************************************************************************
- * Function smp_proc_enc_info
+ * Function smp_proc_id_info
* Description process identity information from peer device
******************************************************************************/
void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t* p = p_data->p_data;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb)) {
+ tSMP_INT_DATA smp_int_data;
+ smp_int_data.status = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+ return;
+ }
+
STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
smp_key_distribution_by_transport(p_cb, NULL);
}
