From: Jakub Pawlowski <jpawlowski@google.com>
Date: Fri, 22 Jun 2018 05:56:11 +0000 (-0700)
Subject: Add packet length checks in l2cble_process_sig_cmd
X-Git-Tag: android-x86-9.0-r1~63
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=83ea816ea9becc9e427906a10c403987dd6687ee;p=android-x86%2Fsystem-bt.git

Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)
---

diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index ec0992a91..5fc01f9b9 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -594,6 +594,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
   uint16_t credit;
   p_pkt_end = p + pkt_len;
 
+  if (p + 4 > p_pkt_end) {
+    android_errorWriteLog(0x534e4554, "80261585");
+    LOG(ERROR) << "invalid read";
+    return;
+  }
+
   STREAM_TO_UINT8(cmd_code, p);
   STREAM_TO_UINT8(id, p);
   STREAM_TO_UINT16(cmd_len, p);
@@ -619,6 +625,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       break;
 
     case L2CAP_CMD_BLE_UPDATE_REQ:
+      if (p + 8 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */
       STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */
       STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -660,6 +672,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       break;
 
     case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
+      if (p + 10 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(con_info.psm, p);
       STREAM_TO_UINT16(rcid, p);
       STREAM_TO_UINT16(mtu, p);
@@ -743,6 +761,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       }
       if (p_ccb) {
         L2CAP_TRACE_DEBUG("I remember the connection req");
+        if (p + 10 > p_pkt_end) {
+          android_errorWriteLog(0x534e4554, "80261585");
+          LOG(ERROR) << "invalid read";
+          return;
+        }
+
         STREAM_TO_UINT16(p_ccb->remote_cid, p);
         STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);
         STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -788,6 +812,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       break;
 
     case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(lcid, p);
       p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);
       if (p_ccb == NULL) {
@@ -821,6 +851,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       break;
 
     case L2CAP_CMD_DISC_RSP:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
       STREAM_TO_UINT16(rcid, p);
       STREAM_TO_UINT16(lcid, p);