process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e

diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 77d58e5..6a86aea 100644 (file)
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -472,7 +472,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
           switch (cfg_code & 0x7F) {
             case L2CAP_CFG_TYPE_MTU:
               cfg_info.mtu_present = true;
-              if (p + 2 > p_next_cmd) {
+              if (cfg_len != 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -481,7 +485,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
               cfg_info.flush_to_present = true;
-              if (p + 2 > p_next_cmd) {
+              if (cfg_len != 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -490,7 +498,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
             case L2CAP_CFG_TYPE_QOS:
               cfg_info.qos_present = true;
-              if (p + 2 + 5 * 4 > p_next_cmd) {
+              if (cfg_len != 2 + 5 * 4) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -505,7 +517,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
             case L2CAP_CFG_TYPE_FCR:
               cfg_info.fcr_present = true;
-              if (p + 3 + 3 * 2 > p_next_cmd) {
+              if (cfg_len != 3 + 3 * 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -519,7 +535,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
             case L2CAP_CFG_TYPE_FCS:
               cfg_info.fcs_present = true;
-              if (p + 1 > p_next_cmd) {
+              if (cfg_len != 1) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -528,7 +548,11 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
 
             case L2CAP_CFG_TYPE_EXT_FLOW:
               cfg_info.ext_flow_spec_present = true;
-              if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+              if (cfg_len != 2 + 2 + 3 * 4) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }

diff --git a/stack/l2cap/l2c_utils.cc b/stack/l2cap/l2c_utils.cc
index f6728d6..12a4e68 100644 (file)
--- a/stack/l2cap/l2c_utils.cc
+++ b/stack/l2cap/l2c_utils.cc
@@ -791,6 +791,9 @@ void l2cu_send_peer_config_rej(tL2C_CCB* p_ccb, uint8_t* p_data,
       case L2CAP_CFG_TYPE_MTU:
       case L2CAP_CFG_TYPE_FLUSH_TOUT:
       case L2CAP_CFG_TYPE_QOS:
+      case L2CAP_CFG_TYPE_FCR:
+      case L2CAP_CFG_TYPE_FCS:
+      case L2CAP_CFG_TYPE_EXT_FLOW:
         p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
         break;