Add bound check for rfc_parse_data

Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
Merged-In: I44349cd22c141483d01bce0f5a2131b727d0feb0

diff --git a/stack/include/rfcdefs.h b/stack/include/rfcdefs.h
index dcc37bc..1c751f3 100644 (file)
--- a/stack/include/rfcdefs.h
+++ b/stack/include/rfcdefs.h
@@ -90,13 +90,6 @@
     pf   = (*p_data++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET;\
 }
 
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data)          \
-{                                                           \
-    ea = (*p_data & RFCOMM_EA);                             \
-    length = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);           \
-    if (!ea) length += (*p_data++ << RFCOMM_SHIFT_LENGTH2); \
-}
-
 #define RFCOMM_FRAME_IS_CMD(initiator, cr)                  \
     (( (initiator) && !(cr)) || (!(initiator) &&  (cr)))
 

diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c
index 8120893..4bb92ec 100644 (file)
--- a/stack/rfcomm/rfc_ts_frames.c
+++ b/stack/rfcomm/rfc_ts_frames.c
@@ -31,6 +31,7 @@
 #include "l2c_api.h"
 #include "port_int.h"
 #include "rfc_int.h"
+#include "log/log.h"
 
 /*******************************************************************************
 **
@@ -591,7 +592,15 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
         return (RFC_EVENT_BAD_FRAME);
     }
     RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
-    RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
+    eal = *p_data & RFCOMM_EA;
+    len = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);
+    if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
+        len += (*p_data++ << RFCOMM_SHIFT_LENGTH2);
+    } else if (eal == 0) {
+        RFCOMM_TRACE_ERROR ("Bad Length when EAL = 0: %d", p_buf->len);
+        android_errorWriteLog(0x534e4554, "78288018");
+        return RFC_EVENT_BAD_FRAME;
+    }
 
     p_buf->len      -= (3 + !ead + !eal + 1);  /* Additional 1 for FCS */
     p_buf->offset   += (3 + !ead + !eal);