system/bt
Revision | 2736fbc8fcf61e3301f31fec6411f112a7db4720 (tree) |
---|---|
Time | 2019-01-15 07:55:19 |
Author | Stanley Tng <stng@goog...> |
Commiter | JP Sugarbroad |
DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu
Add check to make sure that data buffer is big enough to read the 2
bytes for length.
Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.
Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit fcb1994de1f6ee34b8dc6804a2b32e20bf138073)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
(cherry picked from commit c1fcbd5508a75ae3eaf5f311d706d026fee2fe48)
@@ -840,7 +840,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
840 | 840 | |
841 | 841 | if (p_ccb->is_first_seg) |
842 | 842 | { |
843 | + if (p_buf->len < sizeof(sdu_length)) { | |
844 | + L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.", | |
845 | + __func__, p_buf->len); | |
846 | + android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0); | |
847 | + /* Discard the buffer */ | |
848 | + osi_free(p_buf); | |
849 | + return; | |
850 | + } | |
843 | 851 | STREAM_TO_UINT16(sdu_length, p); |
852 | + | |
844 | 853 | /* Check the SDU Length with local MTU size */ |
845 | 854 | if (sdu_length > p_ccb->local_conn_cfg.mtu) |
846 | 855 | { |
@@ -849,6 +858,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
849 | 858 | return; |
850 | 859 | } |
851 | 860 | |
861 | + p_buf->len -= sizeof(sdu_length); | |
862 | + p_buf->offset += sizeof(sdu_length); | |
863 | + | |
852 | 864 | if (sdu_length < p_buf->len) { |
853 | 865 | L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length); |
854 | 866 | android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0); |
@@ -868,8 +880,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
868 | 880 | p_data->len = 0; |
869 | 881 | p_ccb->ble_sdu_length = sdu_length; |
870 | 882 | L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length); |
871 | - p_buf->len -= sizeof(sdu_length); | |
872 | - p_buf->offset += sizeof(sdu_length); | |
873 | 883 | p_data->offset = 0; |
874 | 884 | } else { |
875 | 885 | p_data = p_ccb->ble_sdu; |