system/bt
Revisão | 140d8297ace9cd54a903a9cd3a079fd805030f1e (tree) |
---|---|
Hora | 2019-11-26 14:08:38 |
Autor | Ted Wang <tedwang@goog...> |
Commiter | Ted Wang |
Fix potential OOB write in btm_read_remote_ext_features_complete
Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.
Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
@@ -1082,7 +1082,7 @@ void btm_read_remote_features_complete(uint8_t* p) { | ||
1082 | 1082 | * Returns void |
1083 | 1083 | * |
1084 | 1084 | ******************************************************************************/ |
1085 | -void btm_read_remote_ext_features_complete(uint8_t* p) { | |
1085 | +void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) { | |
1086 | 1086 | tACL_CONN* p_acl_cb; |
1087 | 1087 | uint8_t page_num, max_page; |
1088 | 1088 | uint16_t handle; |
@@ -1090,6 +1090,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
1090 | 1090 | |
1091 | 1091 | BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete"); |
1092 | 1092 | |
1093 | + if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) { | |
1094 | + android_errorWriteLog(0x534e4554, "141552859"); | |
1095 | + BTM_TRACE_ERROR( | |
1096 | + "btm_read_remote_ext_features_complete evt length too short. length=%d", | |
1097 | + evt_len); | |
1098 | + return; | |
1099 | + } | |
1100 | + | |
1093 | 1101 | ++p; |
1094 | 1102 | STREAM_TO_UINT16(handle, p); |
1095 | 1103 | STREAM_TO_UINT8(page_num, p); |
@@ -1109,6 +1117,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) { | ||
1109 | 1117 | return; |
1110 | 1118 | } |
1111 | 1119 | |
1120 | + if (page_num > HCI_EXT_FEATURES_PAGE_MAX) { | |
1121 | + android_errorWriteLog(0x534e4554, "141552859"); | |
1122 | + BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid", | |
1123 | + page_num); | |
1124 | + return; | |
1125 | + } | |
1126 | + | |
1127 | + if (page_num > max_page) { | |
1128 | + BTM_TRACE_WARNING( | |
1129 | + "btm_read_remote_ext_features_complete num_page=%d, max_page=%d " | |
1130 | + "invalid", page_num, max_page); | |
1131 | + } | |
1132 | + | |
1112 | 1133 | p_acl_cb = &btm_cb.acl_db[acl_idx]; |
1113 | 1134 | |
1114 | 1135 | /* Copy the received features page */ |
@@ -118,7 +118,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void); | ||
118 | 118 | extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr, |
119 | 119 | tBT_TRANSPORT transport); |
120 | 120 | extern void btm_read_remote_features_complete(uint8_t* p); |
121 | -extern void btm_read_remote_ext_features_complete(uint8_t* p); | |
121 | +extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len); | |
122 | 122 | extern void btm_read_remote_ext_features_failed(uint8_t status, |
123 | 123 | uint16_t handle); |
124 | 124 | extern void btm_read_remote_version_complete(uint8_t* p); |
@@ -71,7 +71,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p); | ||
71 | 71 | static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len); |
72 | 72 | static void btu_hcif_encryption_change_evt(uint8_t* p); |
73 | 73 | static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p); |
74 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p); | |
74 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
75 | + uint8_t evt_len); | |
75 | 76 | static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p); |
76 | 77 | static void btu_hcif_qos_setup_comp_evt(uint8_t* p); |
77 | 78 | static void btu_hcif_command_complete_evt(BT_HDR* response, void* context); |
@@ -195,7 +196,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
195 | 196 | btu_hcif_read_rmt_features_comp_evt(p); |
196 | 197 | break; |
197 | 198 | case HCI_READ_RMT_EXT_FEATURES_COMP_EVT: |
198 | - btu_hcif_read_rmt_ext_features_comp_evt(p); | |
199 | + btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len); | |
199 | 200 | break; |
200 | 201 | case HCI_READ_RMT_VERSION_COMP_EVT: |
201 | 202 | btu_hcif_read_rmt_version_comp_evt(p); |
@@ -812,7 +813,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) { | ||
812 | 813 | * Returns void |
813 | 814 | * |
814 | 815 | ******************************************************************************/ |
815 | -static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | |
816 | +static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p, | |
817 | + uint8_t evt_len) { | |
816 | 818 | uint8_t* p_cur = p; |
817 | 819 | uint8_t status; |
818 | 820 | uint16_t handle; |
@@ -820,7 +822,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) { | ||
820 | 822 | STREAM_TO_UINT8(status, p_cur); |
821 | 823 | |
822 | 824 | if (status == HCI_SUCCESS) |
823 | - btm_read_remote_ext_features_complete(p); | |
825 | + btm_read_remote_ext_features_complete(p, evt_len); | |
824 | 826 | else { |
825 | 827 | STREAM_TO_UINT16(handle, p_cur); |
826 | 828 | btm_read_remote_ext_features_failed(status, handle); |
@@ -1322,6 +1322,8 @@ typedef struct { | ||
1322 | 1322 | |
1323 | 1323 | #define HCI_FEATURE_BYTES_PER_PAGE 8 |
1324 | 1324 | |
1325 | +#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13 | |
1326 | + | |
1325 | 1327 | #define HCI_FEATURES_KNOWN(x) \ |
1326 | 1328 | (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0) |
1327 | 1329 |