DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

[android-x86/system-bt.git] / stack / l2cap / l2c_fcr.c

diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c
index 5ba8b56..4c0fb41 100644 (file)
--- a/stack/l2cap/l2c_fcr.c
+++ b/stack/l2cap/l2c_fcr.c
@@ -24,6 +24,7 @@
  ******************************************************************************/
 
 #include <assert.h>
+#include <log/log.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -839,7 +840,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
 
     if (p_ccb->is_first_seg)
     {
+        if (p_buf->len < sizeof(sdu_length)) {
+          L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
+                            __func__, p_buf->len);
+          android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
+          /* Discard the buffer */
+          osi_free(p_buf);
+          return;
+        }
         STREAM_TO_UINT16(sdu_length, p);
+
         /* Check the SDU Length with local MTU size */
         if (sdu_length > p_ccb->local_conn_cfg.mtu)
         {
@@ -848,6 +858,17 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
             return;
         }
 
+        p_buf->len -= sizeof(sdu_length);
+        p_buf->offset += sizeof(sdu_length);
+
+        if (sdu_length < p_buf->len) {
+            L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+            android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+            /* Discard the buffer */
+            osi_free(p_buf);
+            return;
+        }
+
 
         if ((p_data = (BT_HDR *) osi_malloc(L2CAP_MAX_BUF_SIZE)) == NULL)
         {
@@ -859,13 +880,25 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
         p_data->len = 0;
         p_ccb->ble_sdu_length = sdu_length;
         L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length);
-        p_buf->len -= sizeof(sdu_length);
-        p_buf->offset += sizeof(sdu_length);
         p_data->offset = 0;
+    } else {
+      p_data = p_ccb->ble_sdu;
+      if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) {
+        L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped",
+                          __func__, p_data->len,
+                          (p_ccb->ble_sdu_length - p_data->len));
+        android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0);
+        osi_free(p_buf);
 
+        /* Throw away all pending fragments and disconnects */
+        p_ccb->is_first_seg = true;
+        osi_free(p_ccb->ble_sdu);
+        p_ccb->ble_sdu = NULL;
+        p_ccb->ble_sdu_length = 0;
+        l2cu_disconnect_chnl(p_ccb);
+        return;
+      }
     }
-    else
-        p_data = p_ccb->ble_sdu;
 
     memcpy((UINT8*)(p_data + 1) + p_data->offset + p_data->len, (UINT8*)(p_buf + 1) + p_buf->offset, p_buf->len);
     p_data->len += p_buf->len;
@@ -881,11 +914,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
     {
         p_ccb->is_first_seg = FALSE;
     }
-    else
-    {
-        L2CAP_TRACE_ERROR ("%s Length in the SDU messed up",__func__);
-        // TODO: reset every thing may be???
-    }
 
     osi_free(p_buf);
     return;