Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 019e10a0 authored Jan 12, 2023 by Elena Petrova

Bluetooth: a2dp: fuzzer: fix UAF in the fuzzer

Move attr vector ownership up the stack to avoid
use after free within the fuzzer itself.

Bug: 257060629
Test: Fuzzer no longer crashes with irrelevant UAF
Change-Id: I98bf33c4d9e96db4402cf6bc81f6facc4181c72f

parent 7b2f30d1

system/stack/test/fuzzers/a2dp/a2dpFuzzFunctions.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -64,7 +64,8 @@ std::vector<std::function<void(FuzzedDataProvider*)>> a2dp_operations = {

		// A2DP_FindService
		[](FuzzedDataProvider* fdp) -> void {
		tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp);
		std::vector<uint16_t> attr_list;
		tA2DP_SDP_DB_PARAMS p_db = generateDBParams(fdp, attr_list);
		const RawAddress bd_addr = generateRawAddress(fdp);
		uint16_t service_uuid = fdp->ConsumeBool() ? UUID_SERVCLASS_AUDIO_SOURCE
		: UUID_SERVCLASS_AUDIO_SINK;

system/stack/test/fuzzers/a2dp/a2dpFuzzHelpers.h

+3 −2

Original line number	Diff line number	Diff line
		@@ -32,8 +32,9 @@

		#define MAX_DB_SIZE 4096

		tA2DP_SDP_DB_PARAMS generateDBParams(FuzzedDataProvider* fdp) {
		std::vector<uint16_t> attr_list = generateArbitraryAttrList(fdp);
		tA2DP_SDP_DB_PARAMS generateDBParams(FuzzedDataProvider* fdp,
		std::vector<uint16_t>& attr_list) {
		attr_list = generateArbitraryAttrList(fdp);

		tA2DP_SDP_DB_PARAMS db_params;
		db_params.db_len = fdp->ConsumeIntegralInRange<uint32_t>(0, MAX_DB_SIZE);