system/bt
| Revisão | 153e2d50c1e8c52a27c3a954a77664d576b96b82 (tree) |
|---|---|
| Hora | 2019-12-20 06:20:42 |
| Autor | Jakub Pawlowski <jpawlowski@goog...> |
| Commiter | Myles Watson |
Fix potential OOB when parsing inquiry results
Bug: 141620271
Change-Id: I30c7558b1ae1a77d0004760ef831480347a06e11
(cherry picked from commit c44516749af81bc5fc79afc0772f42bf0ec37bd4)
stack/btm/btm_inq.cc (diff)
stack/btm/btm_int.h (diff) stack/btu/btu_hcif.cc (diff)| @@ -25,6 +25,7 @@ | ||
| 25 | 25 | * |
| 26 | 26 | ******************************************************************************/ |
| 27 | 27 | |
| 28 | +#include <log/log.h> | |
| 28 | 29 | #include <stddef.h> |
| 29 | 30 | #include <stdio.h> |
| 30 | 31 | #include <stdlib.h> |
| @@ -1602,7 +1603,8 @@ static void btm_initiate_inquiry(tBTM_INQUIRY_VAR_ST* p_inq) { | ||
| 1602 | 1603 | * Returns void |
| 1603 | 1604 | * |
| 1604 | 1605 | ******************************************************************************/ |
| 1605 | -void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) { | |
| 1606 | +void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len, | |
| 1607 | + uint8_t inq_res_mode) { | |
| 1606 | 1608 | uint8_t num_resp, xx; |
| 1607 | 1609 | RawAddress bda; |
| 1608 | 1610 | tINQ_DB_ENT* p_i; |
| @@ -1631,10 +1633,29 @@ void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode) { | ||
| 1631 | 1633 | |
| 1632 | 1634 | STREAM_TO_UINT8(num_resp, p); |
| 1633 | 1635 | |
| 1634 | - if (inq_res_mode == BTM_INQ_RESULT_EXTENDED && (num_resp > 1)) { | |
| 1635 | - BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1", | |
| 1636 | - num_resp); | |
| 1637 | - return; | |
| 1636 | + if (inq_res_mode == BTM_INQ_RESULT_EXTENDED) { | |
| 1637 | + if (num_resp > 1) { | |
| 1638 | + BTM_TRACE_ERROR("btm_process_inq_results() extended results (%d) > 1", | |
| 1639 | + num_resp); | |
| 1640 | + return; | |
| 1641 | + } | |
| 1642 | + | |
| 1643 | + constexpr uint16_t extended_inquiry_result_size = 254; | |
| 1644 | + if (hci_evt_len - 1 != extended_inquiry_result_size) { | |
| 1645 | + android_errorWriteLog(0x534e4554, "141620271"); | |
| 1646 | + BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__, | |
| 1647 | + num_resp, hci_evt_len); | |
| 1648 | + return; | |
| 1649 | + } | |
| 1650 | + } else if (inq_res_mode == BTM_INQ_RESULT_STANDARD || | |
| 1651 | + inq_res_mode == BTM_INQ_RESULT_WITH_RSSI) { | |
| 1652 | + constexpr uint16_t inquiry_result_size = 14; | |
| 1653 | + if (hci_evt_len < num_resp * inquiry_result_size) { | |
| 1654 | + android_errorWriteLog(0x534e4554, "141620271"); | |
| 1655 | + BTM_TRACE_ERROR("%s: can't fit %d results in %d bytes", __func__, | |
| 1656 | + num_resp, hci_evt_len); | |
| 1657 | + return; | |
| 1658 | + } | |
| 1638 | 1659 | } |
| 1639 | 1660 | |
| 1640 | 1661 | for (xx = 0; xx < num_resp; xx++) { |
| @@ -65,7 +65,8 @@ extern void btm_inq_remote_name_timer_timeout(void* data); | ||
| 65 | 65 | /* Inquiry related functions */ |
| 66 | 66 | extern void btm_clr_inq_db(const RawAddress* p_bda); |
| 67 | 67 | extern void btm_inq_db_init(void); |
| 68 | -extern void btm_process_inq_results(uint8_t* p, uint8_t inq_res_mode); | |
| 68 | +extern void btm_process_inq_results(uint8_t* p, uint8_t hci_evt_len, | |
| 69 | + uint8_t inq_res_mode); | |
| 69 | 70 | extern void btm_process_inq_complete(uint8_t status, uint8_t mode); |
| 70 | 71 | extern void btm_process_cancel_complete(uint8_t status, uint8_t mode); |
| 71 | 72 | extern void btm_event_filter_complete(uint8_t* p); |
| @@ -64,9 +64,10 @@ extern void smp_cancel_start_encryption_attempt(); | ||
| 64 | 64 | /* L O C A L F U N C T I O N P R O T O T Y P E S */ |
| 65 | 65 | /******************************************************************************/ |
| 66 | 66 | static void btu_hcif_inquiry_comp_evt(uint8_t* p); |
| 67 | -static void btu_hcif_inquiry_result_evt(uint8_t* p); | |
| 68 | -static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p); | |
| 69 | -static void btu_hcif_extended_inquiry_result_evt(uint8_t* p); | |
| 67 | +static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len); | |
| 68 | +static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len); | |
| 69 | +static void btu_hcif_extended_inquiry_result_evt(uint8_t* p, | |
| 70 | + uint8_t hci_evt_len); | |
| 70 | 71 | |
| 71 | 72 | static void btu_hcif_connection_comp_evt(uint8_t* p); |
| 72 | 73 | static void btu_hcif_connection_request_evt(uint8_t* p); |
| @@ -263,13 +264,13 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 263 | 264 | btu_hcif_inquiry_comp_evt(p); |
| 264 | 265 | break; |
| 265 | 266 | case HCI_INQUIRY_RESULT_EVT: |
| 266 | - btu_hcif_inquiry_result_evt(p); | |
| 267 | + btu_hcif_inquiry_result_evt(p, hci_evt_len); | |
| 267 | 268 | break; |
| 268 | 269 | case HCI_INQUIRY_RSSI_RESULT_EVT: |
| 269 | - btu_hcif_inquiry_rssi_result_evt(p); | |
| 270 | + btu_hcif_inquiry_rssi_result_evt(p, hci_evt_len); | |
| 270 | 271 | break; |
| 271 | 272 | case HCI_EXTENDED_INQUIRY_RESULT_EVT: |
| 272 | - btu_hcif_extended_inquiry_result_evt(p); | |
| 273 | + btu_hcif_extended_inquiry_result_evt(p, hci_evt_len); | |
| 273 | 274 | break; |
| 274 | 275 | case HCI_CONNECTION_COMP_EVT: |
| 275 | 276 | btu_hcif_connection_comp_evt(p); |
| @@ -948,9 +949,9 @@ static void btu_hcif_inquiry_comp_evt(uint8_t* p) { | ||
| 948 | 949 | * Returns void |
| 949 | 950 | * |
| 950 | 951 | ******************************************************************************/ |
| 951 | -static void btu_hcif_inquiry_result_evt(uint8_t* p) { | |
| 952 | +static void btu_hcif_inquiry_result_evt(uint8_t* p, uint8_t hci_evt_len) { | |
| 952 | 953 | /* Store results in the cache */ |
| 953 | - btm_process_inq_results(p, BTM_INQ_RESULT_STANDARD); | |
| 954 | + btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_STANDARD); | |
| 954 | 955 | } |
| 955 | 956 | |
| 956 | 957 | /******************************************************************************* |
| @@ -962,9 +963,9 @@ static void btu_hcif_inquiry_result_evt(uint8_t* p) { | ||
| 962 | 963 | * Returns void |
| 963 | 964 | * |
| 964 | 965 | ******************************************************************************/ |
| 965 | -static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) { | |
| 966 | +static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p, uint8_t hci_evt_len) { | |
| 966 | 967 | /* Store results in the cache */ |
| 967 | - btm_process_inq_results(p, BTM_INQ_RESULT_WITH_RSSI); | |
| 968 | + btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_WITH_RSSI); | |
| 968 | 969 | } |
| 969 | 970 | |
| 970 | 971 | /******************************************************************************* |
| @@ -976,9 +977,10 @@ static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p) { | ||
| 976 | 977 | * Returns void |
| 977 | 978 | * |
| 978 | 979 | ******************************************************************************/ |
| 979 | -static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) { | |
| 980 | +static void btu_hcif_extended_inquiry_result_evt(uint8_t* p, | |
| 981 | + uint8_t hci_evt_len) { | |
| 980 | 982 | /* Store results in the cache */ |
| 981 | - btm_process_inq_results(p, BTM_INQ_RESULT_EXTENDED); | |
| 983 | + btm_process_inq_results(p, hci_evt_len, BTM_INQ_RESULT_EXTENDED); | |
| 982 | 984 | } |
| 983 | 985 | |
| 984 | 986 | /******************************************************************************* |
Fork