Merge "Fix potential OOB write in btm_read_remote_ext_features_complete" into oc...

[android-x86/system-bt.git] / stack / btm / btm_acl.cc

diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 07a80fb..34041d6 100644 (file)
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -47,6 +47,7 @@
 #include "device/include/interop.h"
 #include "hcidefs.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/osi.h"
 
@@ -1076,7 +1077,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
  * Returns          void
  *
  ******************************************************************************/
-void btm_read_remote_ext_features_complete(uint8_t* p) {
+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
   tACL_CONN* p_acl_cb;
   uint8_t page_num, max_page;
   uint16_t handle;
@@ -1084,6 +1085,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
 
   BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
 
+  if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
+    android_errorWriteLog(0x534e4554, "141552859");
+    BTM_TRACE_ERROR(
+        "btm_read_remote_ext_features_complete evt length too short. length=%d",
+        evt_len);
+    return;
+  }
+
   ++p;
   STREAM_TO_UINT16(handle, p);
   STREAM_TO_UINT8(page_num, p);
@@ -1103,6 +1112,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
     return;
   }
 
+  if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
+    android_errorWriteLog(0x534e4554, "141552859");
+    BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
+                    page_num);
+    return;
+  }
+
+  if (page_num > max_page) {
+    BTM_TRACE_WARNING(
+        "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
+        "invalid", page_num, max_page);
+  }
+
   p_acl_cb = &btm_cb.acl_db[acl_idx];
 
   /* Copy the received features page */