process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit 94fd011bc9a72081cc691ed7d6e6eec42e9f4539)

diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index 36840c7..6d1d297 100644 (file)
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -496,7 +496,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                 {
                 case L2CAP_CFG_TYPE_MTU:
                     cfg_info.mtu_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -505,7 +509,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FLUSH_TOUT:
                     cfg_info.flush_to_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -514,7 +522,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_QOS:
                     cfg_info.qos_present = TRUE;
-                    if (p + 2 + 5 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 5 * 4) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -529,7 +541,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCR:
                     cfg_info.fcr_present = TRUE;
-                    if (p + 3 + 3 * 2 > p_next_cmd) {
+                    if (cfg_len != 3 + 3 * 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -543,7 +559,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCS:
                     cfg_info.fcs_present = TRUE;
-                    if (p + 1 > p_next_cmd) {
+                    if (cfg_len != 1) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -552,7 +572,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_EXT_FLOW:
                     cfg_info.ext_flow_spec_present = TRUE;
-                    if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 2 + 3 * 4) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -635,7 +659,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                 {
                 case L2CAP_CFG_TYPE_MTU:
                     cfg_info.mtu_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -644,7 +672,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FLUSH_TOUT:
                     cfg_info.flush_to_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -653,7 +685,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_QOS:
                     cfg_info.qos_present = TRUE;
-                    if (p + 2 + 5 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 5 * 4) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -668,7 +704,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCR:
                     cfg_info.fcr_present = TRUE;
-                    if (p + 3 + 3 * 2 > p_next_cmd) {
+                    if (cfg_len != 3 + 3 * 2) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -682,7 +722,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCS:
                     cfg_info.fcs_present = TRUE;
-                    if (p + 1 > p_next_cmd) {
+                    if (cfg_len != 1) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }
@@ -691,7 +735,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_EXT_FLOW:
                     cfg_info.ext_flow_spec_present = TRUE;
-                    if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 2 + 3 * 4) {
+                      android_errorWriteLog(0x534e4554, "119870451");
+                      return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                       android_errorWriteLog(0x534e4554, "74202041");
                       return;
                     }

diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c
index 136d608..49145cc 100644 (file)
--- a/stack/l2cap/l2c_utils.c
+++ b/stack/l2cap/l2c_utils.c
@@ -860,6 +860,9 @@ void l2cu_send_peer_config_rej (tL2C_CCB *p_ccb, UINT8 *p_data, UINT16 data_len,
             case L2CAP_CFG_TYPE_MTU:
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
             case L2CAP_CFG_TYPE_QOS:
+            case L2CAP_CFG_TYPE_FCR:
+            case L2CAP_CFG_TYPE_FCS:
+            case L2CAP_CFG_TYPE_EXT_FLOW:
                 p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
                 break;