From 052a5de774f3ae5932d1eb8ad2f67dbcea08d68a Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Thu, 10 Jun 2021 22:01:32 +0200 Subject: [PATCH] Fix potential buffer overflow and uninitialized read in reassemble_and_dispatch_iso Tag: #security Test: compilation Bug: 188673156 Change-Id: Id9f2acfde05da681c82adc25d602cc48a2bc5df9 --- hci/src/packet_fragmenter.cc | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc index ca71e9266..a7074d5af 100644 --- a/hci/src/packet_fragmenter.cc +++ b/hci/src/packet_fragmenter.cc @@ -254,8 +254,10 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) { return; } - if ((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) && - (iso_full_len != packet->len)) { + if (((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) && + (iso_full_len != packet->len)) || + ((boundary_flag == HCI_ISO_BF_FIRST_FRAGMENTED_PACKET) && + (iso_full_len <= packet->len))) { LOG_ERROR("%s corrupted ISO frame", __func__); return; } @@ -324,6 +326,18 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) { return; } + if (partial_packet->len != + partial_packet->offset + packet->len - HCI_ISO_PREAMBLE_SIZE) { + LOG_ERROR( + "%s got last fragment, but it doesn't fill up the whole packet of " + "size %d", + __func__, partial_packet->len); + buffer_allocator->free(packet); + partial_iso_packets.erase(map_iter); + buffer_allocator->free(partial_packet); + return; + } + partial_packet->layer_specific |= BT_ISO_HDR_OFFSET_POINTS_DATA; partial_packet->offset = HCI_ISO_PREAMBLE_SIZE; if (partial_packet->layer_specific & BT_ISO_HDR_CONTAINS_TS) -- 2.11.0