From: Jakub Pawlowski <jpawlowski@google.com>
Date: Fri, 22 Jun 2018 05:56:11 +0000 (-0700)
Subject: Add packet length checks in l2cble_process_sig_cmd
X-Git-Tag: android-x86-7.1-r3^2~38
X-Git-Url: http://git.osdn.net/view?p=android-x86%2Fsystem-bt.git;a=commitdiff_plain;h=84cf1086f3efb14539b06e54753de86af4c85551

Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit 329b7cfb446ed34a2b67e31267ff61ce12f1d70c)
---

diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c
index 9b944a7ec..307903eab 100644
--- a/stack/l2cap/l2c_ble.c
+++ b/stack/l2cap/l2c_ble.c
@@ -609,6 +609,13 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
     UINT16          credit;
     p_pkt_end = p + pkt_len;
 
+    if (p + 4 > p_pkt_end)
+    {
+        android_errorWriteLog(0x534e4554, "80261585");
+        L2CAP_TRACE_WARNING ("%s bad packet length", __func__);
+        return;
+    }
+
     STREAM_TO_UINT8  (cmd_code, p);
     STREAM_TO_UINT8  (id, p);
     STREAM_TO_UINT16 (cmd_len, p);
@@ -634,6 +641,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
             break;
 
         case L2CAP_CMD_BLE_UPDATE_REQ:
+            if (p + 8 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */
             STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */
             STREAM_TO_UINT16 (latency, p);  /* 0x0000 - 0x03E8 */
@@ -676,6 +689,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
             break;
 
         case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
+            if (p + 10 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (con_info.psm, p);
             STREAM_TO_UINT16 (rcid, p);
             STREAM_TO_UINT16 (mtu, p);
@@ -750,6 +769,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
             if (p_ccb)
             {
                 L2CAP_TRACE_DEBUG ("I remember the connection req");
+                if (p + 10 > p_pkt_end)
+                {
+                    android_errorWriteLog(0x534e4554, "80261585");
+                    L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                    return;
+                }
                 STREAM_TO_UINT16 (p_ccb->remote_cid, p);
                 STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mtu, p);
                 STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mps, p);
@@ -796,6 +821,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
             break;
 
         case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
+            if (p + 4 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16(lcid, p);
             if((p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid)) == NULL)
             {
@@ -830,6 +861,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
             break;
 
          case L2CAP_CMD_DISC_RSP:
+            if (p + 4 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (rcid, p);
             STREAM_TO_UINT16 (lcid, p);