From: Pavlin Radoslavov <pavlin@google.com>
Date: Thu, 31 May 2018 00:56:14 +0000 (-0700)
Subject: Add checks whether the AVDTP element data length is valid
X-Git-Tag: android-x86-9.0-r1~68^2~3^2^2^2^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=ee30c88a8d49b30860d35b34a57c3037a4045678;p=android-x86%2Fsystem-bt.git

Add checks whether the AVDTP element data length is valid

Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I715b5977c833d33ff798f008fbf244effa13ea1f
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit 9b3f96f50287d8789aff6d6895d7ae02ca6ac619)
---

diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index 2595ab887..fc1887e7b 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -26,6 +26,7 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
 #include "avdt_api.h"
 #include "avdt_int.h"
@@ -604,6 +605,11 @@ static uint8_t avdt_msg_prs_cfg(tAVDT_CFG* p_cfg, uint8_t* p, uint16_t len,
 
       case AVDT_CAT_PROTECT:
         p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
+        if (p + elem_len > p_end) {
+          err = AVDT_ERR_LENGTH;
+          android_errorWriteLog(0x534e4554, "78288378");
+          break;
+        }
         if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) {
           p_cfg->num_protect++;
           p_cfg->protect_info[protect_offset] = elem_len;
@@ -624,6 +630,11 @@ static uint8_t avdt_msg_prs_cfg(tAVDT_CFG* p_cfg, uint8_t* p, uint16_t len,
         if (elem_len >= AVDT_CODEC_SIZE) {
           tmp = AVDT_CODEC_SIZE - 1;
         }
+        if (p + tmp > p_end) {
+          err = AVDT_ERR_LENGTH;
+          android_errorWriteLog(0x534e4554, "78288378");
+          break;
+        }
         p_cfg->num_codec++;
         p_cfg->codec_info[0] = elem_len;
         memcpy(&p_cfg->codec_info[1], p, tmp);