Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.
Bug:
141552859
Bug:
144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
#include "device/include/interop.h"
#include "hcidefs.h"
#include "hcimsgs.h"
+#include "log/log.h"
#include "l2c_int.h"
#include "osi/include/osi.h"
* Returns void
*
******************************************************************************/
-void btm_read_remote_ext_features_complete(uint8_t* p) {
+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
tACL_CONN* p_acl_cb;
uint8_t page_num, max_page;
uint16_t handle;
BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
+ android_errorWriteLog(0x534e4554, "141552859");
+ BTM_TRACE_ERROR(
+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
+ evt_len);
+ return;
+ }
+
++p;
STREAM_TO_UINT16(handle, p);
STREAM_TO_UINT8(page_num, p);
return;
}
+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
+ android_errorWriteLog(0x534e4554, "141552859");
+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
+ page_num);
+ return;
+ }
+
+ if (page_num > max_page) {
+ BTM_TRACE_WARNING(
+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
+ "invalid", page_num, max_page);
+ }
+
p_acl_cb = &btm_cb.acl_db[acl_idx];
/* Copy the received features page */
extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
tBT_TRANSPORT transport);
extern void btm_read_remote_features_complete(uint8_t* p);
-extern void btm_read_remote_ext_features_complete(uint8_t* p);
+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
extern void btm_read_remote_ext_features_failed(uint8_t status,
uint16_t handle);
extern void btm_read_remote_version_complete(uint8_t* p);
static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
static void btu_hcif_encryption_change_evt(uint8_t* p);
static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+ uint8_t evt_len);
static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
btu_hcif_read_rmt_features_comp_evt(p);
break;
case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
- btu_hcif_read_rmt_ext_features_comp_evt(p);
+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
break;
case HCI_READ_RMT_VERSION_COMP_EVT:
btu_hcif_read_rmt_version_comp_evt(p);
* Returns void
*
******************************************************************************/
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+ uint8_t evt_len) {
uint8_t* p_cur = p;
uint8_t status;
uint16_t handle;
STREAM_TO_UINT8(status, p_cur);
if (status == HCI_SUCCESS)
- btm_read_remote_ext_features_complete(p);
+ btm_read_remote_ext_features_complete(p, evt_len);
else {
STREAM_TO_UINT16(handle, p_cur);
btm_read_remote_ext_features_failed(status, handle);
#define HCI_FEATURE_BYTES_PER_PAGE 8
+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
+
#define HCI_FEATURES_KNOWN(x) \
(((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)