DO NOT MERGE Fix unexpected behavior in reading BNEP packets

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 1ba7a489f57252de63d95d0374fccc002fe3d35a)

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 36b76a1..0eda144 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -35,6 +35,7 @@
 
 #include "l2c_api.h"
 #include "l2cdefs.h"
+#include "log/log.h"
 
 #include "btu.h"
 #include "btm_api.h"
@@ -524,20 +525,21 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
             org_len = rem_len;
             new_len = 0;
             do {
-
+                if (org_len < 2) break;
                 ext     = *p++;
                 length  = *p++;
                 p += length;
 
+                new_len = (length + 2);
+                if (new_len > org_len) break;
+
                 if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
                     bnep_send_command_not_understood (p_bcb, *p);
 
-                new_len += (length + 2);
-
-                if (new_len > org_len)
-                    break;
+                org_len -= new_len;
 
             } while (ext & 0x80);
+            android_errorWriteLog(0x534e4554, "67863755");
         }
 
         osi_free(p_buf);
@@ -586,6 +588,8 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
             while (extension_present && p && rem_len)
             {
                 ext_type = *p++;
+                rem_len--;
+                android_errorWriteLog(0x534e4554, "69271284");
                 extension_present = ext_type >> 7;
                 ext_type &= 0x7F;
 

diff --git a/stack/bnep/bnep_utils.c b/stack/bnep/bnep_utils.c
index e16ffca..c731174 100644 (file)
--- a/stack/bnep/bnep_utils.c
+++ b/stack/bnep/bnep_utils.c
@@ -22,6 +22,8 @@
  *
  ******************************************************************************/
 
+#include <cutils/log.h>
+
 #include <stdio.h>
 #include <string.h>
 #include "bt_common.h"
@@ -805,6 +807,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
 
     case BNEP_SETUP_CONNECTION_REQUEST_MSG:
         len = *p++;
+           if (*rem_len < 1) {
+                   BNEP_TRACE_ERROR(
+              "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
+              __func__);
+            android_errorWriteLog(0x534e4554, "69177292");
+            goto bad_packet_length;
+        }
         if (*rem_len < ((2 * len) + 1)) {
             BNEP_TRACE_ERROR(
               "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
@@ -831,6 +840,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
         break;
 
     case BNEP_FILTER_NET_TYPE_SET_MSG:
+           if (*rem_len < 2) {
+                   BNEP_TRACE_ERROR(
+              "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
+              __func__);
+            android_errorWriteLog(0x534e4554, "69177292");
+            goto bad_packet_length;
+        }
         BE_STREAM_TO_UINT16 (len, p);
         if (*rem_len < (len + 2))
         {
@@ -857,6 +873,13 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
         break;
 
     case BNEP_FILTER_MULTI_ADDR_SET_MSG:
+           if (*rem_len < 2) {
+                   BNEP_TRACE_ERROR(
+              "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
+              __func__);
+            android_errorWriteLog(0x534e4554, "69177292");
+            goto bad_packet_length;
+        }
         BE_STREAM_TO_UINT16 (len, p);
         if (*rem_len < (len + 2))
         {