OSDN Git Service

(root) / android-x86 / system-bt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 28af328)
HIDD: Prevent integer underflow in bta_hd_act
authorHansong Zhang <hsz@google.com>
Thu, 21 Jun 2018 23:53:41 +0000 (16:53 -0700)
committerHansong Zhang <hsz@google.com>
Tue, 3 Jul 2018 17:38:47 +0000 (10:38 -0700)
Bug: 109757435
Bug: 109757168
Bug: 110846194
Bug: 109757986
Test: manual
Change-Id: I80a6f3f931ac7512f1ba801cc5d8de6ac04f3422

bta/hd/bta_hd_act.cc patch | blob | history

diff --git a/bta/hd/bta_hd_act.cc b/bta/hd/bta_hd_act.cc
index 75e4ea5..b061d29 100644 (file)
--- a/bta/hd/bta_hd_act.cc
+++ b/bta/hd/bta_hd_act.cc
@@ -36,6 +36,7 @@
 #include "bta_sys.h"
 #include "btm_api.h"
 
+#include "log/log.h"
 #include "osi/include/osi.h"
 
 static void bta_hd_cback(BD_ADDR bd_addr, uint8_t event, uint32_t data,
@@ -504,6 +505,10 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA* p_data) {
   APPL_TRACE_API("%s", __func__);
 
   if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+    if (len < 1) {
+      android_errorWriteLog(0x534e4554, "109757986");
+      return;
+    }
     ret.report_id = *p_buf;
 
     len--;
@@ -536,15 +541,31 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA* p_data) {
 
   APPL_TRACE_API("%s", __func__);
 
+  uint16_t remaining_len = p_msg->len;
+  if (remaining_len < 1) {
+    android_errorWriteLog(0x534e4554, "109757168");
+    return;
+  }
+
   ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
   p_buf++;
+  remaining_len--;
 
   if (bta_hd_cb.use_report_id) {
+    if (remaining_len < 1) {
+      android_errorWriteLog(0x534e4554, "109757168");
+      return;
+    }
     ret.report_id = *p_buf;
     p_buf++;
+    remaining_len--;
   }
 
   if (rep_size_follows) {
+    if (remaining_len < 2) {
+      android_errorWriteLog(0x534e4554, "109757168");
+      return;
+    }
     ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
   }
 
@@ -569,11 +590,19 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA* p_data) {
 
   APPL_TRACE_API("%s", __func__);
 
+  if (len < 1) {
+    android_errorWriteLog(0x534e4554, "110846194");
+    return;
+  }
   ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
   p_buf++;
   len--;
 
   if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+    if (len < 1) {
+      android_errorWriteLog(0x534e4554, "109757435");
+      return;
+    }
     ret.report_id = *p_buf;
 
     len--;
system/bt
About OSDN
Find Software
Develop Software
Help