system/bt
| 修訂 | 856262c9237db2c48b4a84871b17087b2dd1f2ec (tree) |
|---|---|
| 時間 | 2019-12-20 06:22:18 |
| 作者 | Myles Watson <mylesgw@goog...> |
| Commiter | Myles Watson |
HCI: Check length of connection complete event
Fixes: 141619686
Test: Pair and connect
Change-Id: Ib15d6a8cbb8c6a7404bf1afa023277429029867d
(cherry picked from commit 7ee6458cf4939ad78dbebd70c2520ad56c31f4a9)
stack/btu/btu_hcif.cc (diff)| @@ -68,7 +68,7 @@ static void btu_hcif_inquiry_result_evt(uint8_t* p); | ||
| 68 | 68 | static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p); |
| 69 | 69 | static void btu_hcif_extended_inquiry_result_evt(uint8_t* p); |
| 70 | 70 | |
| 71 | -static void btu_hcif_connection_comp_evt(uint8_t* p); | |
| 71 | +static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len); | |
| 72 | 72 | static void btu_hcif_connection_request_evt(uint8_t* p); |
| 73 | 73 | static void btu_hcif_disconnection_comp_evt(uint8_t* p); |
| 74 | 74 | static void btu_hcif_authentication_comp_evt(uint8_t* p); |
| @@ -272,7 +272,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) { | ||
| 272 | 272 | btu_hcif_extended_inquiry_result_evt(p); |
| 273 | 273 | break; |
| 274 | 274 | case HCI_CONNECTION_COMP_EVT: |
| 275 | - btu_hcif_connection_comp_evt(p); | |
| 275 | + btu_hcif_connection_comp_evt(p, hci_evt_len); | |
| 276 | 276 | break; |
| 277 | 277 | case HCI_CONNECTION_REQUEST_EVT: |
| 278 | 278 | btu_hcif_connection_request_evt(p); |
| @@ -990,7 +990,7 @@ static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) { | ||
| 990 | 990 | * Returns void |
| 991 | 991 | * |
| 992 | 992 | ******************************************************************************/ |
| 993 | -static void btu_hcif_connection_comp_evt(uint8_t* p) { | |
| 993 | +static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) { | |
| 994 | 994 | uint8_t status; |
| 995 | 995 | uint16_t handle; |
| 996 | 996 | RawAddress bda; |
| @@ -998,6 +998,12 @@ static void btu_hcif_connection_comp_evt(uint8_t* p) { | ||
| 998 | 998 | uint8_t enc_mode; |
| 999 | 999 | tBTM_ESCO_DATA esco_data; |
| 1000 | 1000 | |
| 1001 | + if (evt_len < 11) { | |
| 1002 | + android_errorWriteLog(0x534e4554, "141619686"); | |
| 1003 | + HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len); | |
| 1004 | + return; | |
| 1005 | + } | |
| 1006 | + | |
| 1001 | 1007 | STREAM_TO_UINT8(status, p); |
| 1002 | 1008 | STREAM_TO_UINT16(handle, p); |
| 1003 | 1009 | STREAM_TO_BDADDR(bda, p); |
Fork