OSDN Git Service

(root) / android-x86 / system-bt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5cd6a9f)
DO NOT MERGE process_l2cap_cmd: Fix OOB
authorHansong Zhang <hsz@google.com>
Fri, 18 Jan 2019 19:51:00 +0000 (11:51 -0800)
committerJP Sugarbroad <jpsugar@google.com>
Tue, 12 Feb 2019 21:10:31 +0000 (13:10 -0800)
Bug: 119870451
Test: POC
Change-Id: Ieef322a3ad4cebcaf40e5388584d3a04a4761d2e
(cherry picked from commit 38f07a3c93143ca31229f0caa5b1a270dc1f5401)

stack/l2cap/l2c_main.c patch | blob | history
stack/l2cap/l2c_utils.c patch | blob | history

diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index 818060b..ac74497 100644 (file)
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -490,7 +490,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                 {
                 case L2CAP_CFG_TYPE_MTU:
                     cfg_info.mtu_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -499,7 +503,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FLUSH_TOUT:
                     cfg_info.flush_to_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -508,7 +516,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_QOS:
                     cfg_info.qos_present = TRUE;
-                    if (p + 2 + 5 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 5 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -523,7 +535,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCR:
                     cfg_info.fcr_present = TRUE;
-                    if (p + 3 + 3 * 2 > p_next_cmd) {
+                    if (cfg_len != 3 + 3 * 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -537,7 +553,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_FCS:
                     cfg_info.fcs_present = TRUE;
-                    if (p + 1 > p_next_cmd) {
+                    if (cfg_len != 1) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -546,7 +566,11 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
 
                 case L2CAP_CFG_TYPE_EXT_FLOW:
                     cfg_info.ext_flow_spec_present = TRUE;
-                    if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+                    if (cfg_len != 1 + 2 + 3 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c
index 58ac4b0..72bd52e 100644 (file)
--- a/stack/l2cap/l2c_utils.c
+++ b/stack/l2cap/l2c_utils.c
@@ -859,6 +859,9 @@ void l2cu_send_peer_config_rej (tL2C_CCB *p_ccb, UINT8 *p_data, UINT16 data_len,
             case L2CAP_CFG_TYPE_MTU:
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
             case L2CAP_CFG_TYPE_QOS:
+            case L2CAP_CFG_TYPE_FCR:
+            case L2CAP_CFG_TYPE_FCS:
+            case L2CAP_CFG_TYPE_EXT_FLOW:
                 p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
                 break;
 
system/bt
About OSDN
Find Software
Develop Software
Help