OSDN -- 開發和下載開源軟體
繁體中文翻譯狀態 translation status for zh-tw
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

提交

標籤
無標籤

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

修訂8dee3a482dd0e75d31a1b7857d5e5d9d8ca55b49 (tree)
時間2018-11-06 06:52:57
作者Ugo Yu <ugoyu@goog...>
CommiterRohit Yengisetty

Log Message

DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data

Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit ad4098c340b52acdb0f48fd3e2612d810e71f4c4)

Change Summary

差異

--- a/stack/avdt/avdt_scb_act.c
+++ b/stack/avdt/avdt_scb_act.c
@@ -23,6 +23,7 @@
2323 *
2424 ******************************************************************************/
2525
26+#include <cutils/log.h>
2627 #include <string.h>
2728 #include "bt_types.h"
2829 #include "bt_target.h"
@@ -256,10 +257,15 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
256257 UINT16 offset;
257258 UINT16 ex_len;
258259 UINT8 pad_len = 0;
260+ UINT16 len;
259261
262+ len = p_data->p_pkt->len;
260263 p = p_start = (UINT8 *)(p_data->p_pkt + 1) + p_data->p_pkt->offset;
261264
262265 /* parse media packet header */
266+ offset = 12;
267+ // AVDT_MSG_PRS_OCTET1(1) + AVDT_MSG_PRS_M_PT(1) + UINT16(2) + UINT32(4) + 4
268+ if (offset > len) goto length_error;
263269 AVDT_MSG_PRS_OCTET1(p, o_v, o_p, o_x, o_cc);
264270 AVDT_MSG_PRS_M_PT(p, m_pt, marker);
265271 BE_STREAM_TO_UINT16(seq, p);
@@ -269,19 +275,20 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
269275 UNUSED(o_v);
270276
271277 /* skip over any csrc's in packet */
278+ offset += o_cc * 4;
272279 p += o_cc * 4;
273280
274281 /* check for and skip over extension header */
275282 if (o_x)
276283 {
284+ offset += 4;
285+ if (offset > len) goto length_error;
277286 p += 2;
278287 BE_STREAM_TO_UINT16(ex_len, p);
288+ offset += ex_len * 4;
279289 p += ex_len * 4;
280290 }
281291
282- /* save our new offset */
283- offset = (UINT16) (p - p_start);
284-
285292 /* adjust length for any padding at end of packet */
286293 if (o_p)
287294 {
@@ -325,6 +332,12 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
325332 osi_free_and_reset((void **)&p_data->p_pkt);
326333 }
327334 }
335+ return;
336+length_error:
337+ android_errorWriteLog(0x534e4554, "111450156");
338+ AVDT_TRACE_WARNING("%s: hdl packet length %d too short: must be at least %d",
339+ __func__, len, offset);
340+ osi_free_and_reset((void**)&p_data->p_pkt);
328341 }
329342
330343 #if AVDT_REPORTING == TRUE
@@ -343,6 +356,7 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
343356 UINT8 *p_start = p;
344357 UINT32 ssrc;
345358 UINT8 o_v, o_p, o_cc;
359+ UINT16 min_len = 0;
346360 AVDT_REPORT_TYPE pt;
347361 tAVDT_REPORT_DATA report, *p_rpt;
348362
@@ -351,6 +365,14 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
351365 {
352366 p_rpt = &report;
353367 /* parse report packet header */
368+ min_len += 8;
369+ if (min_len > len) {
370+ android_errorWriteLog(0x534e4554, "111450156");
371+ AVDT_TRACE_WARNING(
372+ "%s: hdl packet length %d too short: must be at least %d", __func__,
373+ len, min_len);
374+ goto avdt_scb_hdl_report_exit;
375+ }
354376 AVDT_MSG_PRS_RPT_OCTET1(p, o_v, o_p, o_cc);
355377 pt = *p++;
356378 p += 2;
@@ -362,6 +384,14 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
362384 switch(pt)
363385 {
364386 case AVDT_RTCP_PT_SR: /* the packet type - SR (Sender Report) */
387+ min_len += 20;
388+ if (min_len > len) {
389+ android_errorWriteLog(0x534e4554, "111450156");
390+ AVDT_TRACE_WARNING(
391+ "%s: hdl packet length %d too short: must be at least %d",
392+ __func__, len, min_len);
393+ goto avdt_scb_hdl_report_exit;
394+ }
365395 BE_STREAM_TO_UINT32(report.sr.ntp_sec, p);
366396 BE_STREAM_TO_UINT32(report.sr.ntp_frac, p);
367397 BE_STREAM_TO_UINT32(report.sr.rtp_time, p);
@@ -370,6 +400,14 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
370400 break;
371401
372402 case AVDT_RTCP_PT_RR: /* the packet type - RR (Receiver Report) */
403+ min_len += 20;
404+ if (min_len > len) {
405+ android_errorWriteLog(0x534e4554, "111450156");
406+ AVDT_TRACE_WARNING(
407+ "%s: hdl packet length %d too short: must be at least %d",
408+ __func__, len, min_len);
409+ goto avdt_scb_hdl_report_exit;
410+ }
373411 report.rr.frag_lost = *p;
374412 BE_STREAM_TO_UINT32(report.rr.packet_lost, p);
375413 report.rr.packet_lost &= 0xFFFFFF;
@@ -382,10 +420,25 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
382420 case AVDT_RTCP_PT_SDES: /* the packet type - SDES (Source Description) */
383421 if(*p == AVDT_RTCP_SDES_CNAME)
384422 {
423+ min_len += sizeof(tAVDT_REPORT_DATA) + 2;
424+ if (min_len > len) {
425+ android_errorWriteLog(0x534e4554, "111450156");
426+ AVDT_TRACE_WARNING(
427+ "%s: hdl packet length %d too short: must be at least %d",
428+ __func__, len, min_len);
429+ goto avdt_scb_hdl_report_exit;
430+ }
385431 p_rpt = (tAVDT_REPORT_DATA *)(p+2);
386432 }
387433 else
388434 {
435+ if (min_len + 1 > len) {
436+ android_errorWriteLog(0x534e4554, "111450156");
437+ AVDT_TRACE_WARNING(
438+ "%s: hdl packet length %d too short: must be at least %d",
439+ __func__, len, min_len + 2);
440+ goto avdt_scb_hdl_report_exit;
441+ }
389442 AVDT_TRACE_WARNING( " - SDES SSRC=0x%08x sc=%d %d len=%d %s",
390443 ssrc, o_cc, *p, *(p+1), p+2);
391444 result = AVDT_BUSY;
@@ -401,6 +454,7 @@ UINT8 * avdt_scb_hdl_report(tAVDT_SCB *p_scb, UINT8 *p, UINT16 len)
401454 (*p_scb->cs.p_report_cback)(avdt_scb_to_hdl(p_scb), pt, p_rpt);
402455
403456 }
457+avdt_scb_hdl_report_exit:
404458 p_start += len;
405459 return p_start;
406460 }