From: Stanley Tng <stng@google.com>
Date: Tue, 11 Dec 2018 22:45:13 +0000 (-0800)
Subject: DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
X-Git-Tag: android-x86-8.1-r2^2~3^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=a03e6ad5c458580ad7635bde6ab664eed4976493;p=android-x86%2Fsystem-bt.git

DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit 8f52ed93ba0fe67c310473b539d37c7201c83454)
---

diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index 903009684..4199009ca 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -834,7 +834,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
   }
 
   if (p_ccb->is_first_seg) {
+    if (p_buf->len < sizeof(sdu_length)) {
+      L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
+                        __func__, p_buf->len);
+      android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
+      /* Discard the buffer */
+      osi_free(p_buf);
+      return;
+    }
     STREAM_TO_UINT16(sdu_length, p);
+
     /* Check the SDU Length with local MTU size */
     if (sdu_length > p_ccb->local_conn_cfg.mtu) {
       /* Discard the buffer */
@@ -842,6 +851,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
       return;
     }
 
+    p_buf->len -= sizeof(sdu_length);
+    p_buf->offset += sizeof(sdu_length);
+
     if (sdu_length < p_buf->len) {
       L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
       android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -860,8 +872,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
     p_data->len = 0;
     p_ccb->ble_sdu_length = sdu_length;
     L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length);
-    p_buf->len -= sizeof(sdu_length);
-    p_buf->offset += sizeof(sdu_length);
     p_data->offset = 0;
 
   } else {