DO NOT MERGE Add bound check for rfc_parse_data (20a4f370) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/include/rfcdefs.h

+0 −7

Original line number	Diff line number	Diff line
		@@ -90,13 +90,6 @@
		pf = (*p_data++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET;\
		}

		#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \
		{ \
		ea = (*p_data & RFCOMM_EA); \
		length = (*p_data++ >> RFCOMM_SHIFT_LENGTH1); \
		if (!ea) length += (*p_data++ << RFCOMM_SHIFT_LENGTH2); \
		}

		#define RFCOMM_FRAME_IS_CMD(initiator, cr) \
		(( (initiator) && !(cr)) \|\| (!(initiator) && (cr)))

+10 −1

Original line number	Diff line number	Diff line
		@@ -30,6 +30,7 @@
		#include "l2c_api.h"
		#include "port_int.h"
		#include "rfc_int.h"
		#include "log/log.h"

		/*******************************************************************************
		**
		@@ -555,7 +556,15 @@ UINT8 rfc_parse_data (tRFC_MCB p_mcb, MX_FRAME p_frame, BT_HDR *p_buf)
		return (RFC_EVENT_BAD_FRAME);
		}
		RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
		RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
		eal = *p_data & RFCOMM_EA;
		len = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);
		if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
		len += (*p_data++ << RFCOMM_SHIFT_LENGTH2);
		} else if (eal == 0) {
		RFCOMM_TRACE_ERROR ("Bad Length when EAL = 0: %d", p_buf->len);
		android_errorWriteLog(0x534e4554, "78288018");
		return RFC_EVENT_BAD_FRAME;
		}

		p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
		p_buf->offset += (3 + !ead + !eal);