OSDN > Developer > hafixie93 > Chamber > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	64a5fc167566a482ddc88647dedf5fe059f94e51 (tree)
Time	2019-01-18 19:52:46
Author	Myles Watson <mylesgw@goog...>
Commiter	Vasyl Gello

Log Message

MCAP: Check response length in mca_ccb_hdl_rsp

Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
(cherry picked from commit 0ab53ca2af26f70126d6d9d6600d090a720758fa)

Change Summary

modified: stack/mcap/mca_cact.c (diff)

Incremental Difference

--- a/stack/mcap/mca_cact.c

+++ b/stack/mcap/mca_cact.c

		@@ -475,13 +475,27 @@ void mca_ccb_hdl_rsp(tMCA_CCB p_ccb, tMCA_CCB_EVT p_data)
475	475	tMCA_RESULT result = MCA_BAD_HANDLE;
476	476	tMCA_TC_TBL *p_tbl;
477	477
478		- if (p_ccb->p_tx_req)
	478	+ if (p_pkt->len < sizeof(evt_data.hdr.op_code) +
	479	+ sizeof(evt_data.rsp.rsp_code) +
	480	+ sizeof(evt_data.hdr.mdl_id))
	481	+ {
	482	+ android_errorWriteLog(0x534e4554, "116319076");
	483	+ MCA_TRACE_ERROR("%s: Response packet is too short", __func__);
	484	+ }
	485	+ else if (p_ccb->p_tx_req)
479	486	{
480	487	/* verify that the received response matches the sent request */
481	488	p = (UINT8 *)(p_pkt + 1) + p_pkt->offset;
482	489	evt_data.hdr.op_code = *p++;
483		- if ((evt_data.hdr.op_code == 0) \|\|
484		- ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code))
	490	+ if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) &&
	491	+ (p_pkt->len <
	492	+ sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) +
	493	+ sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg)))
	494	+ {
	495	+ android_errorWriteLog(0x534e4554, "116319076");
	496	+ MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__);
	497	+ } else if ((evt_data.hdr.op_code == 0) \|\|
	498	+ ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code))
485	499	{
486	500	evt_data.rsp.rsp_code = *p++;
487	501	mca_stop_timer(p_ccb);

system-bt Fork