From 53e8b941fd918b6f03667e1bdd38fc73ac84396b Mon Sep 17 00:00:00 2001 From: Hansong Zhang Date: Wed, 8 Aug 2018 11:38:30 -0700 Subject: [PATCH] DO NOT MERGE Check remaining frame length in rfc_process_mx_message Bug: 111936792 Bug: 80432928 Test: manual Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79 --- stack/rfcomm/rfc_ts_frames.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c index 5e5f2e1d1..503e76df0 100644 --- a/stack/rfcomm/rfc_ts_frames.c +++ b/stack/rfcomm/rfc_ts_frames.c @@ -679,6 +679,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) UINT8 ea, cr, mx_len; BOOLEAN is_command; + if (length < 2) { + RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when reading EA, C/R." + " len:%d < 2", __func__, length); + android_errorWriteLog(0x534e4554, "111937065"); + osi_free(p_buf); + return; + } + p_rx_frame->ea = *p_data & RFCOMM_EA; p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK); @@ -701,6 +709,13 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) if (!ea) { + if (length < 1) { + RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0.len:%d < 1", + __func__, length); + android_errorWriteLog(0x534e4554, "111937065"); + osi_free(p_buf); + return; + } mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2; length --; } @@ -777,7 +792,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf) return; case RFCOMM_MX_MSC: - + if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK && + length != RFCOMM_MX_MSC_LEN_NO_BREAK) { + RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, + length); + android_errorWriteLog(0x534e4554, "111937065"); + osi_free(p_buf); + return; + } ea = *p_data & RFCOMM_EA; cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR; p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI; -- 2.11.0