Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5e04c8bb authored by Hemant Gupta's avatar Hemant Gupta Committed by Myles Watson
Browse files

OBEX : Handle Negative index Exception 

Use case:
1. Send file to remote device.
2. Wait for accepting the file transfer on remote device.
   Use Specific remote device(that sends some
     optional headers).

Failure:
No file acceptance popup seen on remote device.

Root cause:
Crash in com.android.bluetooth.

 FATAL EXCEPTION: BtOpp ClientThread
 Process: com.android.bluetooth, PID: 22527
 java.lang.NegativeArraySizeException: -3
 at javax.obex.ObexHelper.updateHeaderSet(ObexHelper.java:216)
 at javax.obex.ClientSession.sendRequest(ClientSession.java:568)
 at javax.obex.ClientSession.connect(ClientSession.java:148)
 at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
   connect(BluetoothOppObexClientSession.java:317)
 at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
   run(BluetoothOppObexClientSession.java:231)
 am_crash( 1402): [22527,0,com.android.bluetooth,818462277,java.lang.
   NegativeArraySizeException,-3,ObexHelper.java,216]

Fix:
Add length check before allocate memory and break loop if length is less than
expected header length as per OBEX Specification  to prevent crash.

Test: Verified that OPP Tx and Rx works successfully multiple times.

Bug: 35588578
Change-Id: I805e6b1d51f69645d5132c3c18db2e752d04b096
parent bbaa19ca

obex/javax/obex/ObexHelper.java

+12 −6
Original line number Diff line number Diff line
@@ -80,6 +80,9 @@ public final class ObexHelper { 
    // The minimum allowed max packet size is 255 according to the OBEX specification

    public static final int LOWER_LIMIT_MAX_PACKET_SIZE = 255;



    // The length of OBEX Byte Sequency Header Id according to the OBEX specification

    public static final int OBEX_BYTE_SEQ_HEADER_LEN = 0x03;



    /**

     * Temporary workaround to be able to push files to Windows 7.

     * TODO: Should be removed as soon as Microsoft updates their driver.
@@ -205,12 +208,15 @@ public final class ObexHelper { 
                    case 0x40:

                        boolean trimTail = true;

                        index++;

                        length = 0xFF & headerArray[index];

                        length = length << 8;

                        index++;

                        length += 0xFF & headerArray[index];

                        length -= 3;

                        index++;

                        length = ((0xFF & headerArray[index]) << 8) +

                                 (0xFF & headerArray[index + 1]);

                        index += 2;

                        if (length <= OBEX_BYTE_SEQ_HEADER_LEN) {

                            Log.e(TAG, "Remote sent an OBEX packet with " +

                                  "incorrect header length = " + length);

                            break;

                        }

                        length -= OBEX_BYTE_SEQ_HEADER_LEN;

                        value = new byte[length];

                        System.arraycopy(headerArray, index, value, 0, length);

                        if (length == 0 || (length > 0 && (value[length - 1] != 0))) {