From 9b67f1d7bd30dd7ca08367c41ac1e3e027e37801 Mon Sep 17 00:00:00 2001 From: Hansong Zhang Date: Wed, 16 Jan 2019 12:33:26 -0800 Subject: [PATCH] btm_ble_multi_adv: Check data length in HCI interface For BleAdvertiserVscHciInterfaceImpl and BleAdvertiserLegacyHciInterfaceImpl, the maximum size of scan response and advertising packet data length should be BTM_BLE_AD_DATA_LEN (31). Bug: 121145627 Test: POC Change-Id: I7653a6c186b7313ef2b1547bca120b9d41c90140 (cherry picked from commit a99fe8a175a6d209e741871544ae3f857c8a7cbb) --- stack/btm/ble_advertiser_hci_interface.cc | 35 +++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/stack/btm/ble_advertiser_hci_interface.cc b/stack/btm/ble_advertiser_hci_interface.cc index 377f1d4f3..b3a2f021b 100644 --- a/stack/btm/ble_advertiser_hci_interface.cc +++ b/stack/btm/ble_advertiser_hci_interface.cc @@ -27,6 +27,7 @@ #include "btm_int_types.h" #include "device/include/controller.h" #include "hcidefs.h" +#include "log/log.h" #define BTM_BLE_MULTI_ADV_SET_RANDOM_ADDR_LEN 8 #define BTM_BLE_MULTI_ADV_ENB_LEN 3 @@ -162,6 +163,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); + if (data_length > BTM_BLE_AD_DATA_LEN) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ + << ": data_length=" << static_cast(data_length) + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; + data_length = BTM_BLE_AD_DATA_LEN; + } + uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_ADV_DATA); UINT8_TO_STREAM(pp, data_length); @@ -181,6 +190,14 @@ class BleAdvertiserVscHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[BTM_BLE_MULTI_ADV_WRITE_DATA_LEN]; memset(param, 0, BTM_BLE_MULTI_ADV_WRITE_DATA_LEN); + if (scan_response_data_length > BTM_BLE_AD_DATA_LEN) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ << ": scan_response_data_length=" + << static_cast(scan_response_data_length) + << ", is longer than size limit " << BTM_BLE_AD_DATA_LEN; + scan_response_data_length = BTM_BLE_AD_DATA_LEN; + } + uint8_t* pp = param; UINT8_TO_STREAM(pp, BTM_BLE_MULTI_ADV_WRITE_SCAN_RSP_DATA); UINT8_TO_STREAM(pp, scan_response_data_length); @@ -370,6 +387,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; + if (data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ + << ": data_length=" << static_cast(data_length) + << ", is longer than size limit " + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + } + uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, data_length); @@ -387,6 +413,15 @@ class BleAdvertiserLegacyHciInterfaceImpl : public BleAdvertiserHciInterface { VLOG(1) << __func__; uint8_t param[HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1]; + if (scan_response_data_length > HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA) { + android_errorWriteLog(0x534e4554, "121145627"); + LOG(ERROR) << __func__ << ": scan_response_data_length=" + << static_cast(scan_response_data_length) + << ", is longer than size limit " + << HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + scan_response_data_length = HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA; + } + uint8_t* pp = param; memset(pp, 0, HCIC_PARAM_SIZE_BLE_WRITE_ADV_DATA + 1); UINT8_TO_STREAM(pp, scan_response_data_length); -- 2.11.0