RESTRICT AUTOMERGE Contain avrc_ctrl_pars_vendor_cmd OOB write

author Chris Manton <cmanton@google.com>

Sun, 21 Mar 2021 22:51:18 +0000 (15:51 -0700)

committer Chris Manton <cmanton@google.com>

Wed, 24 Mar 2021 16:20:49 +0000 (16:20 +0000)
author Chris Manton <cmanton@google.com>
Sun, 21 Mar 2021 22:51:18 +0000 (15:51 -0700)
committer Chris Manton <cmanton@google.com>
Wed, 24 Mar 2021 16:20:49 +0000 (16:20 +0000)
diff --git a/stack/avrc/avrc_pars_tg.cc b/stack/avrc/avrc_pars_tg.cc

index 0745fcb..3b21894 100644 (file)
--- a/stack/avrc/avrc_pars_tg.cc
+++ b/stack/avrc/avrc_pars_tg.cc
@@ -73,6 +73,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_cmd(tAVRC_MSG_VENDOR* p_msg,
      case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */
        BE_STREAM_TO_UINT8(p_result->reg_notif.event_id, p);
        BE_STREAM_TO_UINT32(p_result->reg_notif.param, p);
+
+      if (p_result->reg_notif.event_id == 0 ||
+          p_result->reg_notif.event_id > AVRC_NUM_NOTIF_EVENTS) {
+        android_errorWriteLog(0x534e4554, "181860042");
+        status = AVRC_STS_BAD_PARAM;
+      }
        break;
      default:
        status = AVRC_STS_BAD_CMD;
diff --git a/stack/test/stack_avrcp_test.cc b/stack/test/stack_avrcp_test.cc

new file mode 100644 (file)

index 0000000..d3a5165
--- /dev/null
+++ b/stack/test/stack_avrcp_test.cc
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <arpa/inet.h>  // htons
+#include <dlfcn.h>
+#include <gtest/gtest.h>
+
+#include "stack/include/avrc_api.h"
+
+class StackAvrcpTest : public ::testing::Test {
+ protected:
+  StackAvrcpTest() = default;
+
+  virtual ~StackAvrcpTest() = default;
+};
+
+TEST_F(StackAvrcpTest, test_avrcp_parse_browse_cmd) {
+  uint8_t scratch_buf[512]{};
+  tAVRC_MSG msg{};
+  tAVRC_COMMAND result{};
+  uint8_t browse_cmd_buf[512]{};
+
+  msg.hdr.opcode = AVRC_OP_BROWSE;
+  msg.browse.p_browse_data = browse_cmd_buf;
+  msg.browse.browse_len = 2;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_SET_BROWSED_PLAYER;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  msg.browse.browse_len = 5;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_GET_FOLDER_ITEMS;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  msg.browse.browse_len = 13;
+  uint8_t* p = &browse_cmd_buf[3];
+  UINT8_TO_STREAM(p, AVRC_SCOPE_NOW_PLAYING);  // scope
+  UINT32_TO_STREAM(p, 0x00000001);             // start_item
+  UINT32_TO_STREAM(p, 0x00000002);             // end_item
+  browse_cmd_buf[12] = 0;                      // attr_count
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_CHANGE_PATH;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  msg.browse.browse_len = 14;
+  p = &browse_cmd_buf[3];
+  UINT16_TO_STREAM(p, 0x1234);      // uid_counter
+  UINT8_TO_STREAM(p, AVRC_DIR_UP);  // direction
+  UINT8_TO_STREAM(p, 0);            // attr_count
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_GET_ITEM_ATTRIBUTES;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  msg.browse.browse_len = 15;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_GET_TOTAL_NUM_OF_ITEMS;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  msg.browse.browse_len = 4;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+
+  memset(browse_cmd_buf, 0, sizeof(browse_cmd_buf));
+  browse_cmd_buf[0] = AVRC_PDU_SEARCH;
+  msg.browse.browse_len = 3;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_BAD_CMD);
+
+  p = &browse_cmd_buf[3];
+  UINT16_TO_STREAM(p, 0x0000);  // charset_id
+  UINT16_TO_STREAM(p, 0x0000);  // str_len
+  msg.browse.browse_len = 7;
+  EXPECT_EQ(AVRC_ParsCommand(&msg, &result, scratch_buf, sizeof(scratch_buf)),
+            AVRC_STS_NO_ERROR);
+}
+
+TEST_F(StackAvrcpTest, test_avrcp_pdu_register_notification) {
+  ASSERT_EQ(htons(0x500), 5);
+
+  struct {
+    uint8_t pdu;
+    uint8_t reserved;
+    uint16_t len;
+    struct {
+      uint8_t event_id;
+      uint32_t param;
+    } payload;
+  } data = {
+      AVRC_PDU_REGISTER_NOTIFICATION,
+      0,  // reserved
+      htons(sizeof(data.payload)),
+      .payload =
+          {
+              .event_id = 0,
+              .param = 0x1234,
+          },
+  };
+
+  tAVRC_MSG msg = {
+      .vendor =
+          {
+              .hdr =
+                  {
+                      .ctype = AVRC_CMD_NOTIF,
+                      .opcode = AVRC_OP_VENDOR,
+                  },
+              .p_vendor_data = (uint8_t*)&data,
+              .vendor_len = sizeof(data),
+          },
+  };
+  tAVRC_COMMAND result{};
+
+  // Run through all possible event ids
+  uint8_t id = 0;
+  do {
+    data.payload.event_id = id;
+    ASSERT_EQ((id == 0 || id > AVRC_NUM_NOTIF_EVENTS) ? AVRC_STS_BAD_PARAM
+                                                      : AVRC_STS_NO_ERROR,
+              AVRC_Ctrl_ParsCommand(&msg, &result));
+  } while (++id != 0);
+}
+\ No newline at end of file
author	Chris Manton <cmanton@google.com>
	Sun, 21 Mar 2021 22:51:18 +0000 (15:51 -0700)
committer	Chris Manton <cmanton@google.com>
	Wed, 24 Mar 2021 16:20:49 +0000 (16:20 +0000)
stack/avrc/avrc_pars_tg.cc		patch \| blob \| history
stack/test/stack_avrcp_test.cc	[new file with mode: 0644]	patch \| blob