• R/O
  • HTTP
  • SSH
  • HTTPS

提交

標籤
無標籤

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

修訂2aa92f871c2f2ea2181b74b49bf152f2606fb7c5 (tree)
時間2019-11-27 06:37:36
作者Ted Wang <tedwang@goog...>
CommiterJakub Pawlowski

Log Message

Fix potential OOB write in btm_read_remote_ext_features_complete

Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.

Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1

Change Summary

差異

--- a/stack/btm/btm_acl.cc
+++ b/stack/btm/btm_acl.cc
@@ -1085,7 +1085,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
10851085 * Returns void
10861086 *
10871087 ******************************************************************************/
1088-void btm_read_remote_ext_features_complete(uint8_t* p) {
1088+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
10891089 tACL_CONN* p_acl_cb;
10901090 uint8_t page_num, max_page;
10911091 uint16_t handle;
@@ -1093,6 +1093,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
10931093
10941094 BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
10951095
1096+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
1097+ android_errorWriteLog(0x534e4554, "141552859");
1098+ BTM_TRACE_ERROR(
1099+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
1100+ evt_len);
1101+ return;
1102+ }
1103+
10961104 ++p;
10971105 STREAM_TO_UINT16(handle, p);
10981106 STREAM_TO_UINT8(page_num, p);
@@ -1112,6 +1120,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
11121120 return;
11131121 }
11141122
1123+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
1124+ android_errorWriteLog(0x534e4554, "141552859");
1125+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
1126+ page_num);
1127+ return;
1128+ }
1129+
1130+ if (page_num > max_page) {
1131+ BTM_TRACE_WARNING(
1132+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
1133+ "invalid", page_num, max_page);
1134+ }
1135+
11151136 p_acl_cb = &btm_cb.acl_db[acl_idx];
11161137
11171138 /* Copy the received features page */
--- a/stack/btm/btm_int.h
+++ b/stack/btm/btm_int.h
@@ -119,7 +119,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void);
119119 extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
120120 tBT_TRANSPORT transport);
121121 extern void btm_read_remote_features_complete(uint8_t* p);
122-extern void btm_read_remote_ext_features_complete(uint8_t* p);
122+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
123123 extern void btm_read_remote_ext_features_failed(uint8_t status,
124124 uint16_t handle);
125125 extern void btm_read_remote_version_complete(uint8_t* p);
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -75,7 +75,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
7575 static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
7676 static void btu_hcif_encryption_change_evt(uint8_t* p);
7777 static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
78-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
78+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
79+ uint8_t evt_len);
7980 static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
8081 static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
8182 static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);
@@ -295,7 +296,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
295296 btu_hcif_read_rmt_features_comp_evt(p);
296297 break;
297298 case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
298- btu_hcif_read_rmt_ext_features_comp_evt(p);
299+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
299300 break;
300301 case HCI_READ_RMT_VERSION_COMP_EVT:
301302 btu_hcif_read_rmt_version_comp_evt(p);
@@ -1211,7 +1212,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
12111212 * Returns void
12121213 *
12131214 ******************************************************************************/
1214-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
1215+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
1216+ uint8_t evt_len) {
12151217 uint8_t* p_cur = p;
12161218 uint8_t status;
12171219 uint16_t handle;
@@ -1219,7 +1221,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
12191221 STREAM_TO_UINT8(status, p_cur);
12201222
12211223 if (status == HCI_SUCCESS)
1222- btm_read_remote_ext_features_complete(p);
1224+ btm_read_remote_ext_features_complete(p, evt_len);
12231225 else {
12241226 STREAM_TO_UINT16(handle, p_cur);
12251227 btm_read_remote_ext_features_failed(status, handle);
--- a/stack/include/hcidefs.h
+++ b/stack/include/hcidefs.h
@@ -1323,6 +1323,8 @@ typedef struct {
13231323
13241324 #define HCI_FEATURE_BYTES_PER_PAGE 8
13251325
1326+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
1327+
13261328 #define HCI_FEATURES_KNOWN(x) \
13271329 (((x)[0] | (x)[1] | (x)[2] | (x)[3] | (x)[4] | (x)[5] | (x)[6] | (x)[7]) != 0)
13281330