Merge changes from topic "am-3e56facc-2987-45a7-902e-643b62b0dad3" into nyc-dr1-dev

* changes:
  [automerger] DO NOT MERGE HID Host: Check L2CAP packet data length am: 4344cfb76a
  DO NOT MERGE HID Host: Check L2CAP packet data length

diff --git a/btif/src/btif_hf.c b/btif/src/btif_hf.c
index 6abf099..9d963d1 100644 (file)
--- a/btif/src/btif_hf.c
+++ b/btif/src/btif_hf.c
@@ -33,6 +33,7 @@
 
 #include <hardware/bluetooth.h>
 #include <hardware/bt_hf.h>
+#include <log/log.h>
 
 #include "bta_ag_api.h"
 #include "btcore/include/bdaddr.h"
@@ -1261,13 +1262,20 @@ static bt_status_t clcc_response(int index, bthf_call_direction_t dir,
                           index, dir, state, mode, number, type);
             xx = sprintf (ag_res.str, "%d,%d,%d,%d,%d",
                          index, dir, state, mode, mpty);
+            char number_copy[sizeof(ag_res.str)];
+            // 9 = [,]["][+]["][,][3_digit_type][null_terminator]
+            int max_number_len = sizeof(ag_res.str) - xx - 9;
+            int number_len = snprintf(number_copy, max_number_len, "%s", number);
+            if (number_len >= max_number_len) {
+              android_errorWriteLog(0x534e4554, "79266386");
+            }
 
             if (number)
             {
                 if ((type == BTHF_CALL_ADDRTYPE_INTERNATIONAL) && (*number != '+'))
-                    sprintf (&ag_res.str[xx], ",\"+%s\",%d", number, type);
+                    sprintf (&ag_res.str[xx], ",\"+%s\",%d", number_copy, type);
                 else
-                    sprintf (&ag_res.str[xx], ",\"%s\",%d", number, type);
+                    sprintf (&ag_res.str[xx], ",\"%s\",%d", number_copy, type);
             }
         }
         BTA_AgResult (btif_hf_cb[idx].handle, BTA_AG_CLCC_RES, &ag_res);
@@ -1420,10 +1428,17 @@ static bt_status_t phone_state_change(int num_active, int num_held, bthf_call_st
                 if (number)
                 {
                     int xx = 0;
+                    char number_copy[sizeof(ag_res.str)];
+                    // 8 = ["][+]["][,][3_digit_type][null_terminator]
+                    int max_number_len = sizeof(ag_res.str) - xx - 8;
+                    int number_len = snprintf(number_copy, max_number_len, "%s", number);
+                    if (number_len >= max_number_len) {
+                      android_errorWriteLog(0x534e4554, "79431031");
+                    }
                     if ((type == BTHF_CALL_ADDRTYPE_INTERNATIONAL) && (*number != '+'))
-                        xx = sprintf (ag_res.str, "\"+%s\"", number);
+                        xx = sprintf (ag_res.str, "\"+%s\"", number_copy);
                     else
-                        xx = sprintf (ag_res.str, "\"%s\"", number);
+                        xx = sprintf (ag_res.str, "\"%s\"", number_copy);
                     ag_res.num = type;
 
                     if (res == BTA_AG_CALL_WAIT_RES)

diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index 05e9cd9..818060b 100644 (file)
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -562,6 +562,10 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                     /* sanity check option length */
                     if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len)
                     {
+                        if (p + cfg_len > p_next_cmd) {
+                            android_errorWriteLog(0x534e4554, "79488381");
+                            return;
+                        }
                         p += cfg_len;
                         if ((cfg_code & 0x80) == 0)
                         {

diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index 100d35b..e276dae 100644 (file)
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -442,6 +442,14 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
             /* if there is a partial attribute pending to be sent */
             if (p_ccb->cont_info.attr_offset)
             {
+                if (attr_len < p_ccb->cont_info.attr_offset)
+                {
+                    android_errorWriteLog(0x534e4554, "79217770");
+                    SDP_TRACE_ERROR("offset is bigger than attribute length");
+                    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                            SDP_TEXT_BAD_CONT_LEN);
+                    return;
+                }
                 p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                          &p_ccb->cont_info.attr_offset);
 
@@ -694,6 +702,14 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
                 /* if there is a partial attribute pending to be sent */
                 if (p_ccb->cont_info.attr_offset)
                 {
+                    if (attr_len < p_ccb->cont_info.attr_offset)
+                    {
+                        android_errorWriteLog(0x534e4554, "79217770");
+                        SDP_TRACE_ERROR("offset is bigger than attribute length");
+                        sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                                SDP_TEXT_BAD_CONT_LEN);
+                        return;
+                    }
                     p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                              &p_ccb->cont_info.attr_offset);