system/bt
修訂 | f9614ab5a4a6735fad37506b7327812539db685f (tree) |
---|---|
時間 | 2018-10-08 17:42:09 |
作者 | Pavlin Radoslavov <pavlin@goog...> |
Commiter | Vasyl Gello |
Add missing AVRCP message length checks inside avrc_msg_cback
Explicitly check the length of the received message before
accessing the data.
Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 282deb3e27407aaa88b8ddbdbd7bb7d56ddc635f)
(cherry picked from commit 007868d05f4b761842c7345161aeda6fd40dd245)
@@ -24,6 +24,8 @@ | ||
24 | 24 | #include <assert.h> |
25 | 25 | #include <string.h> |
26 | 26 | |
27 | +#include <log/log.h> | |
28 | + | |
27 | 29 | #include "bt_common.h" |
28 | 30 | #include "avrc_api.h" |
29 | 31 | #include "avrc_int.h" |
@@ -595,19 +597,26 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, | ||
595 | 597 | AVRC_TRACE_DEBUG("layer_specific %x",p_pkt->layer_specific); |
596 | 598 | if (p_pkt->layer_specific != AVCT_DATA_BROWSE) |
597 | 599 | { |
600 | + if (p_pkt->len < AVRC_AVC_HDR_SIZE) | |
598 | 601 | { |
599 | - msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; | |
600 | - AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d", | |
601 | - handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); | |
602 | - msg.hdr.subunit_type = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; | |
603 | - msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK; | |
604 | - opcode = p_data[2]; | |
602 | + android_errorWriteLog(0x534e4554, "111803925"); | |
603 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", | |
604 | + __func__, p_pkt->len, AVRC_AVC_HDR_SIZE); | |
605 | + osi_free(p_pkt); | |
606 | + return; | |
605 | 607 | } |
608 | + | |
609 | + msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK; | |
610 | + AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d", | |
611 | + handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len); | |
612 | + msg.hdr.subunit_type = (p_data[1] & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; | |
613 | + msg.hdr.subunit_id = p_data[1] & AVRC_SUBID_MASK; | |
614 | + opcode = p_data[2]; | |
615 | + | |
606 | 616 | AVRC_TRACE_DEBUG("opcode %d",opcode); |
607 | 617 | if ( ((avrc_cb.ccb[handle].control & AVRC_CT_TARGET) && (cr == AVCT_CMD)) || |
608 | 618 | ((avrc_cb.ccb[handle].control & AVRC_CT_CONTROL) && (cr == AVCT_RSP)) ) |
609 | 619 | { |
610 | - | |
611 | 620 | switch(opcode) |
612 | 621 | { |
613 | 622 | case AVRC_OP_UNIT_INFO: |
@@ -634,6 +643,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, | ||
634 | 643 | else |
635 | 644 | { |
636 | 645 | /* parse response */ |
646 | + if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) | |
647 | + { | |
648 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", | |
649 | + __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN); | |
650 | + android_errorWriteLog(0x534e4554, "79883824"); | |
651 | + drop = true; | |
652 | + p_drop_msg = "UNIT_INFO_RSP too short"; | |
653 | + break; | |
654 | + } | |
637 | 655 | p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/ |
638 | 656 | msg.unit.unit_type = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT; |
639 | 657 | msg.unit.unit = *p_data & AVRC_SUBID_MASK; |
@@ -665,6 +683,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, | ||
665 | 683 | else |
666 | 684 | { |
667 | 685 | /* parse response */ |
686 | + if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) | |
687 | + { | |
688 | + AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d", | |
689 | + __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN); | |
690 | + android_errorWriteLog(0x534e4554, "79883824"); | |
691 | + drop = true; | |
692 | + p_drop_msg = "SUB_UNIT_INFO_RSP too short"; | |
693 | + break; | |
694 | + } | |
668 | 695 | p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */ |
669 | 696 | msg.sub.page = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK; |
670 | 697 | xx = 0; |