From 154538930f644fc19e48ef99fec87c4f70822060 Mon Sep 17 00:00:00 2001 From: Myles Watson Date: Thu, 25 Oct 2018 15:27:03 -0700 Subject: [PATCH] DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp Bug: 116319076 Test: Send a short MCAP response Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179 (cherry picked from commit f34d740521ec583b0089fdeca283748a809a9c1a) --- stack/mcap/mca_cact.cc | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc index 3a804e523..96434e1fb 100644 --- a/stack/mcap/mca_cact.cc +++ b/stack/mcap/mca_cact.cc @@ -449,12 +449,23 @@ void mca_ccb_hdl_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { tMCA_RESULT result = MCA_BAD_HANDLE; tMCA_TC_TBL* p_tbl; - if (p_ccb->p_tx_req) { + if (p_pkt->len < sizeof(evt_data.hdr.op_code) + + sizeof(evt_data.rsp.rsp_code) + + sizeof(evt_data.hdr.mdl_id)) { + android_errorWriteLog(0x534e4554, "116319076"); + MCA_TRACE_ERROR("%s: Response packet is too short", __func__); + } else if (p_ccb->p_tx_req) { /* verify that the received response matches the sent request */ p = (uint8_t*)(p_pkt + 1) + p_pkt->offset; evt_data.hdr.op_code = *p++; - if ((evt_data.hdr.op_code == 0) || - ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) { + if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) && + (p_pkt->len < + sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) + + sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg))) { + android_errorWriteLog(0x534e4554, "116319076"); + MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__); + } else if ((evt_data.hdr.op_code == 0) || + ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) { evt_data.rsp.rsp_code = *p++; mca_stop_timer(p_ccb); BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); -- 2.11.0