AVDTP: Prevent OOB read when parsing rejected response (0ed03b56) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avdt/avdt_msg.cc

+21 −9

Original line number	Diff line number	Diff line
		@@ -985,18 +985,30 @@ static uint8_t avdt_msg_prs_security_rsp(tAVDT_MSG* p_msg, uint8_t* p,
		* Returns Error code or zero if no error.
		*
		******************************************************************************/
		static uint8_t avdt_msg_prs_rej(tAVDT_MSG* p_msg, uint8_t* p, uint8_t sig) {
		static uint8_t avdt_msg_prs_rej(tAVDT_MSG* p_msg, uint8_t* p, uint16_t len,
		uint8_t sig) {
		uint8_t error = 0;

		if (len > 0) {
		if ((sig == AVDT_SIG_SETCONFIG) \|\| (sig == AVDT_SIG_RECONFIG)) {
		p_msg->hdr.err_param = *p++;
		p_msg->hdr.err_code = *p;
		len--;
		} else if ((sig == AVDT_SIG_START) \|\| (sig == AVDT_SIG_SUSPEND)) {
		AVDT_MSG_PRS_SEID(p, p_msg->hdr.err_param);
		p_msg->hdr.err_code = *p;
		len--;
		}
		}

		if (len < 1) {
		char error_info[] = "AVDT rejected response length mismatch";
		android_errorWriteWithInfoLog(0x534e4554, "79702484", -1, error_info,
		strlen(error_info));
		error = AVDT_ERR_LENGTH;
		} else {
		p_msg->hdr.err_code = *p;
		}

		return 0;
		return error;
		}

		/*******************************************************************************
		@@ -1604,7 +1616,7 @@ void avdt_msg_ind(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
		evt = avdt_msg_rsp_2_evt[sig - 1];
		} else /* msg_type == AVDT_MSG_TYPE_REJ */
		{
		err = avdt_msg_prs_rej(&msg, p, sig);
		err = avdt_msg_prs_rej(&msg, p, p_buf->len, sig);
		evt = avdt_msg_rej_2_evt[sig - 1];
		}