DO NOT MERGE Handle bad packet length in gatts_process_read_req

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cc9c7330d1c3507d745170ae7b2e0546197b7acb)

diff --git a/stack/gatt/gatt_sr.c b/stack/gatt/gatt_sr.c
index 05facd6..8bc2d25 100644 (file)
--- a/stack/gatt/gatt_sr.c
+++ b/stack/gatt/gatt_sr.c
@@ -27,6 +27,7 @@
 
 #if BLE_INCLUDED == TRUE
 #include <string.h>
+#include <log/log.h>
 #include "gatt_int.h"
 #include "l2c_api.h"
 #include "l2c_int.h"
@@ -335,8 +336,6 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
     tGATT_IF gatt_if;
     UINT16  conn_id;
 
-    UNUSED(len);
-
 #if GATT_CONFORMANCE_TESTING == TRUE
     if (gatt_cb.enable_err_rsp && gatt_cb.req_op_code == op_code)
     {
@@ -349,6 +348,13 @@ void gatt_process_exec_write_req (tGATT_TCB *p_tcb, UINT8 op_code, UINT16 len, U
     }
 #endif
 
+    if (len < sizeof(flag)) {
+      android_errorWriteLog(0x534e4554, "73172115");
+      GATT_TRACE_ERROR("%s: invalid length", __func__);
+      gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
+      return;
+    }
+
     STREAM_TO_UINT8(flag, p);
 
     /* mask the flag */
@@ -1190,7 +1196,6 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8
     UINT8           sec_flag, key_size, *p;
     UINT16          offset = 0, value_len = 0;
 
-    UNUSED (len);
     if ((p_msg =  (BT_HDR *)GKI_getbuf(buf_len)) == NULL)
     {
         GATT_TRACE_ERROR("gatts_process_find_info failed. no resources.");
@@ -1199,6 +1204,15 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8
     }
     else
     {
+
+        if (op_code == GATT_REQ_READ_BLOB && len < sizeof(UINT16)) {
+          /* Error: packet length is too short */
+          android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
+          GATT_TRACE_ERROR("%s: invalid length", __func__);
+          gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);
+          return;
+        }
+
         if (op_code == GATT_REQ_READ_BLOB)
             STREAM_TO_UINT16(offset, p_data);
 
@@ -1232,7 +1246,7 @@ static void gatts_process_read_req(tGATT_TCB *p_tcb, tGATT_SR_REG *p_rcb, UINT8
     {
         if (p_msg)  GKI_freebuf(p_msg);
 
-        /* in theroy BUSY is not possible(should already been checked), protected check */
+        /* in theory BUSY is not possible(should already been checked), protected check */
         if (reason != GATT_PENDING && reason != GATT_BUSY)
             gatt_send_error_rsp (p_tcb, reason, op_code, handle, FALSE);
     }