Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0bcae788 authored by Stanley Tng's avatar Stanley Tng Committed by Ajay Panicker
Browse files

DO NOT MERGE Handle bad packet length in gatts_process_read_req 

Added error check and handling code in gatts_process_read_req to
make sure that the packet length is correct.
Please note that there is another earlier CL that is reverted and this
is the updated one.

Bug: 73172115
Test: Run the test program, poc, that was attached in the bug report
Merged-In: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
Change-Id: Ia9b4e502fa8f8384bf9767e68f73b48a0915141b
(cherry picked from commit cbb54f14)
parent e94c7116

system/stack/gatt/gatt_sr.cc

+21 −3
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ 
 *

 ******************************************************************************/



#include <log/log.h>

#include "bt_target.h"

#include "bt_utils.h"

#include "osi/include/osi.h"
@@ -286,7 +287,7 @@ tGATT_STATUS gatt_sr_process_app_rsp(tGATT_TCB* p_tcb, tGATT_IF gatt_if, 
 *

 ******************************************************************************/

void gatt_process_exec_write_req(tGATT_TCB* p_tcb, uint8_t op_code,

                                 UNUSED_ATTR uint16_t len, uint8_t* p_data) {

                                 uint16_t len, uint8_t* p_data) {

  uint8_t *p = p_data, flag, i = 0;

  uint32_t trans_id = 0;

  tGATT_IF gatt_if;
@@ -305,6 +306,13 @@ void gatt_process_exec_write_req(tGATT_TCB* p_tcb, uint8_t op_code, 
  }

#endif



  if (len < sizeof(flag)) {

    android_errorWriteLog(0x534e4554, "73172115");

    LOG(ERROR) << __func__ << "invalid length";

    gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);

    return;

  }



  STREAM_TO_UINT8(flag, p);



  /* mask the flag */
@@ -976,11 +984,21 @@ void gatts_process_write_req(tGATT_TCB* p_tcb, tGATT_SRV_LIST_ELEM& el, 
 */

static void gatts_process_read_req(tGATT_TCB* p_tcb, tGATT_SRV_LIST_ELEM& el,

                                   uint8_t op_code, uint16_t handle,

                                   UNUSED_ATTR uint16_t len, uint8_t* p_data) {

                                   uint16_t len, uint8_t* p_data) {

  size_t buf_len = sizeof(BT_HDR) + p_tcb->payload_size + L2CAP_MIN_OFFSET;

  tGATT_STATUS reason;

  uint8_t sec_flag, key_size, *p;

  uint16_t offset = 0, value_len = 0;



  if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) {

    /* Error: packet length is too short */

    LOG(ERROR) << __func__ << ": packet length=" << len

               << " too short. min=" << sizeof(uint16_t);

    android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);

    gatt_send_error_rsp(p_tcb, GATT_INVALID_PDU, op_code, 0, false);

    return;

  }



  BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);



  if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);
@@ -1001,7 +1019,7 @@ static void gatts_process_read_req(tGATT_TCB* p_tcb, tGATT_SRV_LIST_ELEM& el, 
  if (reason != GATT_SUCCESS) {

    osi_free(p_msg);



    /* in theroy BUSY is not possible(should already been checked), protected

    /* in theory BUSY is not possible(should already been checked), protected

     * check */

    if (reason != GATT_PENDING && reason != GATT_BUSY)

      gatt_send_error_rsp(p_tcb, reason, op_code, handle, false);