system/bt
| Revisão | a1ffc4b626607b032109fd3340ac7a99b46cb7d1 (tree) |
|---|---|
| Hora | 2019-02-21 13:37:12 |
| Autor | Jakub Pawlowski <jpawlowski@goog...> |
| Commiter | Kevin Haggerty |
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
stack/smp/smp_act.c (diff) stack/smp/smp_utils.c (diff)| @@ -398,7 +398,7 @@ void smp_send_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 398 | 398 | *******************************************************************************/ |
| 399 | 399 | void smp_send_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) |
| 400 | 400 | { |
| 401 | - tBTM_LE_LENC_KEYS le_key; | |
| 401 | + tBTM_LE_KEY_VALUE le_key; | |
| 402 | 402 | |
| 403 | 403 | SMP_TRACE_DEBUG("%s p_cb->loc_enc_size = %d", __func__, p_cb->loc_enc_size); |
| 404 | 404 | smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, FALSE); |
| @@ -407,14 +407,13 @@ void smp_send_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 407 | 407 | smp_send_cmd(SMP_OPCODE_MASTER_ID, p_cb); |
| 408 | 408 | |
| 409 | 409 | /* save the DIV and key size information when acting as slave device */ |
| 410 | - memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 411 | - le_key.div = p_cb->div; | |
| 412 | - le_key.key_size = p_cb->loc_enc_size; | |
| 413 | - le_key.sec_level = p_cb->sec_level; | |
| 410 | + memcpy(le_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 411 | + le_key.lenc_key.div = p_cb->div; | |
| 412 | + le_key.lenc_key.key_size = p_cb->loc_enc_size; | |
| 413 | + le_key.lenc_key.sec_level = p_cb->sec_level; | |
| 414 | 414 | |
| 415 | 415 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
| 416 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, | |
| 417 | - (tBTM_LE_KEY_VALUE *)&le_key, TRUE); | |
| 416 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &le_key, TRUE); | |
| 418 | 417 | |
| 419 | 418 | SMP_TRACE_WARNING ("%s", __func__); |
| 420 | 419 |
| @@ -448,17 +447,17 @@ void smp_send_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 448 | 447 | *******************************************************************************/ |
| 449 | 448 | void smp_send_csrk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) |
| 450 | 449 | { |
| 451 | - tBTM_LE_LCSRK_KEYS key; | |
| 450 | + tBTM_LE_KEY_VALUE key; | |
| 452 | 451 | SMP_TRACE_DEBUG("%s", __func__); |
| 453 | 452 | smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, FALSE); |
| 454 | 453 | |
| 455 | 454 | if (smp_send_cmd(SMP_OPCODE_SIGN_INFO, p_cb)) |
| 456 | 455 | { |
| 457 | - key.div = p_cb->div; | |
| 458 | - key.sec_level = p_cb->sec_level; | |
| 459 | - key.counter = 0; /* initialize the local counter */ | |
| 460 | - memcpy (key.csrk, p_cb->csrk, BT_OCTET16_LEN); | |
| 461 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, (tBTM_LE_KEY_VALUE *)&key, TRUE); | |
| 456 | + key.lcsrk_key.div = p_cb->div; | |
| 457 | + key.lcsrk_key.sec_level = p_cb->sec_level; | |
| 458 | + key.lcsrk_key.counter = 0; /* initialize the local counter */ | |
| 459 | + memcpy(key.lcsrk_key.csrk, p_cb->csrk, BT_OCTET16_LEN); | |
| 460 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LCSRK, &key, TRUE); | |
| 462 | 461 | } |
| 463 | 462 | |
| 464 | 463 | smp_key_distribution_by_transport(p_cb, NULL); |
| @@ -1039,7 +1038,7 @@ void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 1039 | 1038 | void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) |
| 1040 | 1039 | { |
| 1041 | 1040 | UINT8 *p = (UINT8 *)p_data; |
| 1042 | - tBTM_LE_PENC_KEYS le_key; | |
| 1041 | + tBTM_LE_KEY_VALUE le_key; | |
| 1043 | 1042 | |
| 1044 | 1043 | SMP_TRACE_DEBUG("%s", __func__); |
| 1045 | 1044 |
| @@ -1054,18 +1053,16 @@ void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 1054 | 1053 | |
| 1055 | 1054 | smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, TRUE); |
| 1056 | 1055 | |
| 1057 | - STREAM_TO_UINT16(le_key.ediv, p); | |
| 1058 | - STREAM_TO_ARRAY(le_key.rand, p, BT_OCTET8_LEN ); | |
| 1056 | + STREAM_TO_UINT16(le_key.penc_key.ediv, p); | |
| 1057 | + STREAM_TO_ARRAY(le_key.penc_key.rand, p, BT_OCTET8_LEN); | |
| 1059 | 1058 | |
| 1060 | 1059 | /* store the encryption keys from peer device */ |
| 1061 | - memcpy(le_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1062 | - le_key.sec_level = p_cb->sec_level; | |
| 1063 | - le_key.key_size = p_cb->loc_enc_size; | |
| 1060 | + memcpy(le_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1061 | + le_key.penc_key.sec_level = p_cb->sec_level; | |
| 1062 | + le_key.penc_key.key_size = p_cb->loc_enc_size; | |
| 1064 | 1063 | |
| 1065 | 1064 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
| 1066 | - btm_sec_save_le_key(p_cb->pairing_bda, | |
| 1067 | - BTM_LE_KEY_PENC, | |
| 1068 | - (tBTM_LE_KEY_VALUE *)&le_key, TRUE); | |
| 1065 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &le_key, TRUE); | |
| 1069 | 1066 | |
| 1070 | 1067 | smp_key_distribution(p_cb, NULL); |
| 1071 | 1068 | } |
| @@ -1099,24 +1096,23 @@ void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 1099 | 1096 | void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) |
| 1100 | 1097 | { |
| 1101 | 1098 | UINT8 *p = (UINT8 *)p_data; |
| 1102 | - tBTM_LE_PID_KEYS pid_key; | |
| 1099 | + tBTM_LE_KEY_VALUE pid_key; | |
| 1103 | 1100 | |
| 1104 | 1101 | SMP_TRACE_DEBUG("%s", __func__); |
| 1105 | 1102 | smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ID, TRUE); |
| 1106 | 1103 | |
| 1107 | - STREAM_TO_UINT8(pid_key.addr_type, p); | |
| 1108 | - STREAM_TO_BDADDR(pid_key.static_addr, p); | |
| 1109 | - memcpy(pid_key.irk, p_cb->tk, BT_OCTET16_LEN); | |
| 1104 | + STREAM_TO_UINT8(pid_key.pid_key.addr_type, p); | |
| 1105 | + STREAM_TO_BDADDR(pid_key.pid_key.static_addr, p); | |
| 1106 | + memcpy(pid_key.pid_key.irk, p_cb->tk, BT_OCTET16_LEN); | |
| 1110 | 1107 | |
| 1111 | 1108 | /* to use as BD_ADDR for lk derived from ltk */ |
| 1112 | 1109 | p_cb->id_addr_rcvd = TRUE; |
| 1113 | - p_cb->id_addr_type = pid_key.addr_type; | |
| 1114 | - memcpy(p_cb->id_addr, pid_key.static_addr, BD_ADDR_LEN); | |
| 1110 | + p_cb->id_addr_type = pid_key.pid_key.addr_type; | |
| 1111 | + memcpy(p_cb->id_addr, pid_key.pid_key.static_addr, BD_ADDR_LEN); | |
| 1115 | 1112 | |
| 1116 | 1113 | /* store the ID key from peer device */ |
| 1117 | 1114 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
| 1118 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, | |
| 1119 | - (tBTM_LE_KEY_VALUE *)&pid_key, TRUE); | |
| 1115 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PID, &pid_key, TRUE); | |
| 1120 | 1116 | smp_key_distribution_by_transport(p_cb, NULL); |
| 1121 | 1117 | } |
| 1122 | 1118 |
| @@ -1126,20 +1122,18 @@ void smp_proc_id_addr(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) | ||
| 1126 | 1122 | *******************************************************************************/ |
| 1127 | 1123 | void smp_proc_srk_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) |
| 1128 | 1124 | { |
| 1129 | - tBTM_LE_PCSRK_KEYS le_key; | |
| 1125 | + tBTM_LE_KEY_VALUE le_key; | |
| 1130 | 1126 | |
| 1131 | 1127 | SMP_TRACE_DEBUG("%s", __func__); |
| 1132 | 1128 | smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_CSRK, TRUE); |
| 1133 | 1129 | |
| 1134 | 1130 | /* save CSRK to security record */ |
| 1135 | - le_key.sec_level = p_cb->sec_level; | |
| 1136 | - memcpy (le_key.csrk, p_data, BT_OCTET16_LEN); /* get peer CSRK */ | |
| 1137 | - le_key.counter = 0; /* initialize the peer counter */ | |
| 1131 | + le_key.pcsrk_key.sec_level = p_cb->sec_level; | |
| 1132 | + memcpy (le_key.pcsrk_key.csrk, p_data, BT_OCTET16_LEN); /* get peer CSRK */ | |
| 1133 | + le_key.pcsrk_key.counter = 0; /* initialize the peer counter */ | |
| 1138 | 1134 | |
| 1139 | 1135 | if ((p_cb->peer_auth_req & SMP_AUTH_BOND) && (p_cb->loc_auth_req & SMP_AUTH_BOND)) |
| 1140 | - btm_sec_save_le_key(p_cb->pairing_bda, | |
| 1141 | - BTM_LE_KEY_PCSRK, | |
| 1142 | - (tBTM_LE_KEY_VALUE *)&le_key, TRUE); | |
| 1136 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PCSRK, &le_key, TRUE); | |
| 1143 | 1137 | smp_key_distribution_by_transport(p_cb, NULL); |
| 1144 | 1138 | } |
| 1145 | 1139 |
| @@ -1459,23 +1459,23 @@ BOOLEAN smp_check_commitment(tSMP_CB *p_cb) | ||
| 1459 | 1459 | *******************************************************************************/ |
| 1460 | 1460 | void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb) |
| 1461 | 1461 | { |
| 1462 | - tBTM_LE_LENC_KEYS lle_key; | |
| 1463 | - tBTM_LE_PENC_KEYS ple_key; | |
| 1462 | + tBTM_LE_KEY_VALUE lle_key; | |
| 1463 | + tBTM_LE_KEY_VALUE ple_key; | |
| 1464 | 1464 | |
| 1465 | 1465 | SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); |
| 1466 | - memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1467 | - lle_key.div = 0; | |
| 1468 | - lle_key.key_size = p_cb->loc_enc_size; | |
| 1469 | - lle_key.sec_level = p_cb->sec_level; | |
| 1470 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&lle_key, TRUE); | |
| 1466 | + memcpy(lle_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1467 | + lle_key.lenc_key.div = 0; | |
| 1468 | + lle_key.lenc_key.key_size = p_cb->loc_enc_size; | |
| 1469 | + lle_key.lenc_key.sec_level = p_cb->sec_level; | |
| 1470 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, TRUE); | |
| 1471 | 1471 | |
| 1472 | 1472 | SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); |
| 1473 | - ple_key.ediv = 0; | |
| 1474 | - memset(ple_key.rand, 0, BT_OCTET8_LEN); | |
| 1475 | - memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1476 | - ple_key.sec_level = p_cb->sec_level; | |
| 1477 | - ple_key.key_size = p_cb->loc_enc_size; | |
| 1478 | - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&ple_key, TRUE); | |
| 1473 | + ple_key.penc_key.ediv = 0; | |
| 1474 | + memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN); | |
| 1475 | + memcpy(ple_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); | |
| 1476 | + ple_key.penc_key.sec_level = p_cb->sec_level; | |
| 1477 | + ple_key.penc_key.key_size = p_cb->loc_enc_size; | |
| 1478 | + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, TRUE); | |
| 1479 | 1479 | } |
| 1480 | 1480 | |
| 1481 | 1481 | /******************************************************************************* |
Fork