From: Ted Wang <tedwang@google.com>
Date: Fri, 4 Oct 2019 10:39:02 +0000 (+0800)
Subject: Fix potential OOB write in btm_read_remote_ext_features_complete
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=33a71f2955f1254d2f96fd4a4d16d44463a21423;p=android-x86%2Fsystem-bt.git

Fix potential OOB write in btm_read_remote_ext_features_complete

Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than max page
number.

Bug: 141552859
Test: inject function
Merged-In: I3bd7349f382aa0e42123bbd835dcb60b77af099a
Change-Id: I3bd7349f382aa0e42123bbd835dcb60b77af099a
---

diff --git a/stack/btm/btm_acl.cc b/stack/btm/btm_acl.cc
index 97f1871ef..7902000a2 100644
--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -46,6 +46,7 @@
 #include "device/include/controller.h"
 #include "hcidefs.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/osi.h"
 
@@ -1062,7 +1063,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
  * Returns          void
  *
  ******************************************************************************/
-void btm_read_remote_ext_features_complete(uint8_t* p) {
+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
   tACL_CONN* p_acl_cb;
   uint8_t page_num, max_page;
   uint16_t handle;
@@ -1070,6 +1071,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
 
   BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
 
+  if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
+    android_errorWriteLog(0x534e4554, "141552859");
+    BTM_TRACE_ERROR(
+        "btm_read_remote_ext_features_complete evt length too short. length=%d",
+        evt_len);
+    return;
+  }
+
   ++p;
   STREAM_TO_UINT16(handle, p);
   STREAM_TO_UINT8(page_num, p);
@@ -1089,6 +1098,13 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
     return;
   }
 
+  if (page_num > max_page) {
+    android_errorWriteLog(0x534e4554, "141552859");
+    BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
+                    page_num);
+    return;
+  }
+
   p_acl_cb = &btm_cb.acl_db[acl_idx];
 
   /* Copy the received features page */
diff --git a/stack/btm/btm_int.h b/stack/btm/btm_int.h
index 18b9e3024..6b1f40995 100644
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -110,7 +110,7 @@ extern void btm_acl_encrypt_change(uint16_t handle, uint8_t status,
 extern uint16_t btm_get_acl_disc_reason_code(void);
 extern tBTM_STATUS btm_remove_acl(BD_ADDR bd_addr, tBT_TRANSPORT transport);
 extern void btm_read_remote_features_complete(uint8_t* p);
-extern void btm_read_remote_ext_features_complete(uint8_t* p);
+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
 extern void btm_read_remote_ext_features_failed(uint8_t status,
                                                 uint16_t handle);
 extern void btm_read_remote_version_complete(uint8_t* p);
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index 80d7c0a7d..e511815fa 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -72,7 +72,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
 static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
 static void btu_hcif_encryption_change_evt(uint8_t* p);
 static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+                                                    uint8_t evt_len);
 static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
 static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
 static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
@@ -184,7 +185,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
       btu_hcif_read_rmt_features_comp_evt(p);
       break;
     case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
-      btu_hcif_read_rmt_ext_features_comp_evt(p);
+      btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
       break;
     case HCI_READ_RMT_VERSION_COMP_EVT:
       btu_hcif_read_rmt_version_comp_evt(p);
@@ -800,7 +801,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
+                                                    uint8_t evt_len) {
   uint8_t* p_cur = p;
   uint8_t status;
   uint16_t handle;
@@ -808,7 +810,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
   STREAM_TO_UINT8(status, p_cur);
 
   if (status == HCI_SUCCESS)
-    btm_read_remote_ext_features_complete(p);
+    btm_read_remote_ext_features_complete(p, evt_len);
   else {
     STREAM_TO_UINT16(handle, p_cur);
     btm_read_remote_ext_features_failed(status, handle);
diff --git a/stack/include/hcidefs.h b/stack/include/hcidefs.h
index ae7ec877b..fbaba5482 100644
--- a/stack/include/hcidefs.h
+++ b/stack/include/hcidefs.h
@@ -1567,6 +1567,8 @@ typedef struct {
 
 #define HCI_FEATURE_BYTES_PER_PAGE 8
 
+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
+
 #define HCI_FEATURES_KNOWN(x) \
   (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)