From 1c5192ce7735170c043912828db1e502c643004b Mon Sep 17 00:00:00 2001
From: Pavlin Radoslavov <pavlin@google.com>
Date: Thu, 9 Aug 2018 13:07:48 -0700
Subject: [PATCH] Add missing AVRCP message length checks inside avrc_msg_cback

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
---
 stack/avrc/avrc_api.cc | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index bdf78b736..10eb1a932 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -24,6 +24,8 @@
 #include <base/logging.h>
 #include <string.h>
 
+#include <log/log.h>
+
 #include "avrc_api.h"
 #include "avrc_int.h"
 #include "bt_common.h"
@@ -663,6 +665,13 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
     msg.browse.browse_len = p_pkt->len;
     msg.browse.p_browse_pkt = p_pkt;
   } else {
+    if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+      android_errorWriteLog(0x534e4554, "111803925");
+      AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                         __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);
+      osi_free(p_pkt);
+      return;
+    }
     msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;
     AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,
                      handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -696,6 +705,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
           p_drop_msg = "auto respond";
         } else {
           /* parse response */
+          if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+            AVRC_TRACE_WARNING(
+                "%s: message length %d too short: must be at least %d",
+                __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+            android_errorWriteLog(0x534e4554, "79883824");
+            drop = true;
+            p_drop_msg = "UNIT_INFO_RSP too short";
+            break;
+          }
           p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
           msg.unit.unit_type =
               (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -725,6 +743,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr,
           p_drop_msg = "auto responded";
         } else {
           /* parse response */
+          if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+            AVRC_TRACE_WARNING(
+                "%s: message length %d too short: must be at least %d",
+                __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+            android_errorWriteLog(0x534e4554, "79883824");
+            drop = true;
+            p_drop_msg = "SUB_UNIT_INFO_RSP too short";
+            break;
+          }
           p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
           msg.sub.page =
               (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;
-- 
2.11.0