From: Jakub Pawlowski Date: Fri, 28 Apr 2017 12:15:16 +0000 (-0700) Subject: Check device name length X-Git-Tag: android-x86-9.0-r1~473^2^2~35 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=d7ed7c0e3d8930a77aa665cfaf57bf28a07d4084;p=android-x86%2Fsystem-bt.git Check device name length BT spec limits the length of device name to 248 bytes. With the new LE advertising packets, that can go up to 1650 bytes long, we must check the length of device name received. Bug: 37671082 Test: manual Change-Id: Iad309d638003c2391014c9764605d84ed5717cb1 (cherry picked from commit 3a4e7622ff07772a512052c23cada59f5830941f) --- diff --git a/btif/src/btif_ble_scanner.cc b/btif/src/btif_ble_scanner.cc index c23c75120..4d87c7be3 100644 --- a/btif/src/btif_ble_scanner.cc +++ b/btif/src/btif_ble_scanner.cc @@ -160,9 +160,19 @@ void bta_scan_results_cb_impl(bt_bdaddr_t bd_addr, tBT_DEVICE_TYPE device_type, btif_gattc_add_remote_bdaddr(bd_addr.address, addr_type); if (p_eir_remote_name) { + if (remote_name_len > BD_NAME_LEN + 1 || + (remote_name_len == BD_NAME_LEN + 1 && + p_eir_remote_name[BD_NAME_LEN] != '\0')) { + LOG_INFO(LOG_TAG, + "%s dropping invalid packet - device name too long: %d", + __func__, remote_name_len); + return; + } + bt_bdname_t bdname; memcpy(bdname.name, p_eir_remote_name, remote_name_len); - bdname.name[remote_name_len] = '\0'; + if (remote_name_len < BD_NAME_LEN + 1) + bdname.name[remote_name_len] = '\0'; LOG_VERBOSE(LOG_TAG, "%s BLE device name=%s len=%d dev_type=%d", __func__, bdname.name, remote_name_len, device_type);