Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0cda81e3 authored by Stanley Tng's avatar Stanley Tng Committed by android-build-team Robot
Browse files

DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu 

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit 3deb5ec3)
(cherry picked from commit 5cab7c92)
(cherry picked from commit 401f39f0)
parent 5b8bd242

system/stack/l2cap/l2c_fcr.cc

+12 −2
Original line number Diff line number Diff line
@@ -833,7 +833,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
  }



  if (p_ccb->is_first_seg) {

    if (p_buf->len < sizeof(sdu_length)) {

      L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",

                        __func__, p_buf->len);

      android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);

      /* Discard the buffer */

      osi_free(p_buf);

      return;

    }

    STREAM_TO_UINT16(sdu_length, p);



    /* Check the SDU Length with local MTU size */

    if (sdu_length > p_ccb->local_conn_cfg.mtu) {

      /* Discard the buffer */
@@ -841,6 +850,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
      return;

    }



    p_buf->len -= sizeof(sdu_length);

    p_buf->offset += sizeof(sdu_length);



    if (sdu_length < p_buf->len) {

      L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);

      android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -859,8 +871,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
    p_data->len = 0;

    p_ccb->ble_sdu_length = sdu_length;

    L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length);

    p_buf->len -= sizeof(sdu_length);

    p_buf->offset += sizeof(sdu_length);

    p_data->offset = 0;



  } else {