Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3157201d authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

DO NOT MERGE - Check AVRCP data length when parsing inside avrc_ctrl_pars_vendor_rsp() 

Bug: 111450417
Test: PoC test program
Change-Id: Idd619e52dc7a2944d0d08af824505580e299c163
(cherry picked from commit fe923a7d)
parent daf53547

system/stack/avrc/avrc_pars_ct.c

+135 −13
Original line number Diff line number Diff line
@@ -30,6 +30,8 @@ 


#if (AVRC_METADATA_INCLUDED == TRUE)



#define MIN(x, y) ((x) < (y) ? (x) : (y))



/*******************************************************************************

**

** Function         avrc_pars_vendor_rsp
@@ -107,25 +109,37 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p 
    return status;

}



void avrc_parse_notification_rsp (UINT8 *p_stream, tAVRC_REG_NOTIF_RSP *p_rsp)

tAVRC_STS avrc_parse_notification_rsp (UINT8 *p_stream, UINT16 len,

                                       tAVRC_REG_NOTIF_RSP *p_rsp)

{

    UINT16 min_len = 1;



    if (len < min_len) goto length_error;

    BE_STREAM_TO_UINT8(p_rsp->event_id, p_stream);

    switch (p_rsp->event_id)

    {

        case AVRC_EVT_PLAY_STATUS_CHANGE:

            min_len += 1;

            if (len < min_len) goto length_error;

            BE_STREAM_TO_UINT8(p_rsp->param.play_status, p_stream);

            break;



        case AVRC_EVT_TRACK_CHANGE:

            min_len += 8;

            if (len < min_len) goto length_error;

            BE_STREAM_TO_ARRAY(p_stream, p_rsp->param.track, 8);

            break;



        case AVRC_EVT_APP_SETTING_CHANGE:

            min_len += 1;

            if (len < min_len) goto length_error;

            BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream);

            if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) {

                android_errorWriteLog(0x534e4554, "73782082");

                p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS;

            }

            min_len += p_rsp->param.player_setting.num_attr * 2;

            if (len < min_len) goto length_error;

            for (int index = 0; index < p_rsp->param.player_setting.num_attr; index++)

            {

                BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index], p_stream);
@@ -153,6 +167,14 @@ void avrc_parse_notification_rsp (UINT8 *p_stream, tAVRC_REG_NOTIF_RSP *p_rsp) 
        default:

            break;

    }



    return AVRC_STS_NO_ERROR;



length_error:

    android_errorWriteLog(0x534e4554, "111450417");

    AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",

                       __func__, len, min_len);

    return AVRC_STS_INTERNAL_ERR;

}



#if (AVRC_CTLR_INCLUDED == TRUE)
@@ -170,17 +192,33 @@ void avrc_parse_notification_rsp (UINT8 *p_stream, tAVRC_REG_NOTIF_RSP *p_rsp) 
static tAVRC_STS avrc_ctrl_pars_vendor_rsp(

    tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p_result, UINT8* p_buf, UINT16* buf_len)

{

    if (p_msg->vendor_len < 4) {

        android_errorWriteLog(0x534e4554, "111450417");

        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",

                           __func__, p_msg->vendor_len);

        return AVRC_STS_INTERNAL_ERR;

    }



    UINT8   *p = p_msg->p_vendor_data;

    BE_STREAM_TO_UINT8 (p_result->pdu, p);

    p++; /* skip the reserved/packe_type byte */



    UINT16  len;

    UINT16  min_len = 0;

    BE_STREAM_TO_UINT16 (len, p);

    AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d",

                     __func__, p_msg->hdr.ctype, p_result->pdu, len);

    AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d  vendor_len=0x%x", __func__,

                     p_msg->hdr.ctype, p_result->pdu, len, p_msg->vendor_len);

    if (p_msg->vendor_len < len + 4) {

        android_errorWriteLog(0x534e4554, "111450417");

        AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",

                           __func__, p_msg->vendor_len, len + 4);

        return AVRC_STS_INTERNAL_ERR;

    }

    /* Todo: Issue in handling reject, check */

    if (p_msg->hdr.ctype == AVRC_RSP_REJ)

    {

        min_len += 1;

        if (len < min_len) goto length_error;

        p_result->rsp.status = *p;

        return p_result->rsp.status;

    }
@@ -192,8 +230,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
    /* case AVRC_PDU_ABORT_CONTINUATION_RSP:   0x41 */



    case AVRC_PDU_REGISTER_NOTIFICATION:

        avrc_parse_notification_rsp(p, &p_result->reg_notif);

        break;

        return avrc_parse_notification_rsp(p, len, &p_result->reg_notif);



    case AVRC_PDU_GET_CAPABILITIES:

        if (len == 0)
@@ -202,12 +239,16 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_caps.capability_id = 0;

            break;

        }

        min_len += 2;

        if (len < min_len) goto length_error;

        BE_STREAM_TO_UINT8(p_result->get_caps.capability_id, p);

        BE_STREAM_TO_UINT8(p_result->get_caps.count, p);

        AVRC_TRACE_DEBUG("%s cap id = %d, cap_count = %d ",

                         __func__, p_result->get_caps.capability_id, p_result->get_caps.count);

        if (p_result->get_caps.capability_id == AVRC_CAP_COMPANY_ID)

        {

            min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_COMP_ID) * 3;

            if (len < min_len) goto length_error;

            for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_COMP_ID));

                xx++)

            {
@@ -216,6 +257,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        }

        else if (p_result->get_caps.capability_id == AVRC_CAP_EVENTS_SUPPORTED)

        {

            min_len += MIN(p_result->get_caps.count, AVRC_CAP_MAX_NUM_EVT_ID);

            if (len < min_len) goto length_error;

            for(int xx = 0; ((xx < p_result->get_caps.count) && (xx < AVRC_CAP_MAX_NUM_EVT_ID));

                xx++)

            {
@@ -230,6 +273,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->list_app_attr.num_attr = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(p_result->list_app_attr.num_attr, p);



        if (p_result->list_app_attr.num_attr > AVRC_MAX_APP_ATTR_SIZE) {
@@ -238,6 +282,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        }



        AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->list_app_attr.num_attr);

        min_len += p_result->list_app_attr.num_attr;

        if (len < min_len) goto length_error;

        for(int xx = 0; xx < p_result->list_app_attr.num_attr; xx++)

        {

            BE_STREAM_TO_UINT8(p_result->list_app_attr.attrs[xx], p);
@@ -250,6 +296,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->list_app_values.num_val = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(p_result->list_app_values.num_val, p);

        if (p_result->list_app_values.num_val > AVRC_MAX_APP_ATTR_SIZE) {

            android_errorWriteLog(0x534e4554, "78526423");
@@ -257,6 +304,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        }



        AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->list_app_values.num_val);

        min_len += p_result->list_app_values.num_val;

        if (len < min_len) goto length_error;

        for(int xx = 0; xx < p_result->list_app_values.num_val; xx++)

        {

            BE_STREAM_TO_UINT8(p_result->list_app_values.vals[xx], p);
@@ -270,9 +319,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_cur_app_val.num_val = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(p_result->get_cur_app_val.num_val, p);

        tAVRC_APP_SETTING *app_sett =

            (tAVRC_APP_SETTING*)osi_malloc(p_result->get_cur_app_val.num_val*sizeof(tAVRC_APP_SETTING));

        AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_cur_app_val.num_val);
@@ -281,6 +329,13 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_cur_app_val.num_val = AVRC_MAX_APP_ATTR_SIZE;

        }



        min_len += p_result->get_cur_app_val.num_val * 2;

        if (len < min_len) {

            p_result->get_cur_app_val.num_val = 0;

            goto length_error;

        }

        tAVRC_APP_SETTING *app_sett =

            (tAVRC_APP_SETTING*)osi_calloc(p_result->get_cur_app_val.num_val*sizeof(tAVRC_APP_SETTING));

        for (int xx = 0; xx < p_result->get_cur_app_val.num_val; xx++)

        {

            BE_STREAM_TO_UINT8(app_sett[xx].attr_id, p);
@@ -299,6 +354,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_app_attr_txt.num_attr = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(num_attrs, p);

        if (num_attrs > AVRC_MAX_APP_ATTR_SIZE) {

          num_attrs = AVRC_MAX_APP_ATTR_SIZE;
@@ -306,15 +362,33 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        AVRC_TRACE_DEBUG("%s attr count = %d ", __func__, p_result->get_app_attr_txt.num_attr);

        p_result->get_app_attr_txt.num_attr = num_attrs;

        p_result->get_app_attr_txt.p_attrs = (tAVRC_APP_SETTING_TEXT*)

            osi_malloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));

            osi_calloc(num_attrs * sizeof(tAVRC_APP_SETTING_TEXT));

        for (int xx = 0; xx < num_attrs; xx++)

        {

            min_len += 4;

            if (len < min_len) {

                for (int j = 0; j < xx; j++) {

                    osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str);

                }

                osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs);

                p_result->get_app_attr_txt.num_attr = 0;

                goto length_error;

            }

            BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].attr_id, p);

            BE_STREAM_TO_UINT16(p_result->get_app_attr_txt.p_attrs[xx].charset_id, p);

            BE_STREAM_TO_UINT8(p_result->get_app_attr_txt.p_attrs[xx].str_len, p);

            min_len += p_result->get_app_attr_txt.p_attrs[xx].str_len;

            if (len < min_len) {

                for (int j = 0; j < xx; j++) {

                    osi_free(p_result->get_app_attr_txt.p_attrs[j].p_str);

                }

                osi_free_and_reset((void**)&p_result->get_app_attr_txt.p_attrs);

                p_result->get_app_attr_txt.num_attr = 0;

                goto length_error;

            }

            if (p_result->get_app_attr_txt.p_attrs[xx].str_len != 0)

            {

                UINT8 *p_str = (UINT8 *)osi_malloc(p_result->get_app_attr_txt.p_attrs[xx].str_len);

                UINT8 *p_str = (UINT8 *)osi_calloc(p_result->get_app_attr_txt.p_attrs[xx].str_len);

                BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_attr_txt.p_attrs[xx].str_len);

                p_result->get_app_attr_txt.p_attrs[xx].p_str = p_str;

            } else {
@@ -333,6 +407,7 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_app_val_txt.num_attr = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(num_vals, p);

        if (num_vals > AVRC_MAX_APP_ATTR_SIZE) {

          num_vals = AVRC_MAX_APP_ATTR_SIZE;
@@ -341,13 +416,31 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        AVRC_TRACE_DEBUG("%s value count = %d ", __func__, p_result->get_app_val_txt.num_attr);



        p_result->get_app_val_txt.p_attrs = (tAVRC_APP_SETTING_TEXT *)

            osi_malloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT));

            osi_calloc(num_vals * sizeof(tAVRC_APP_SETTING_TEXT));

        for (int i = 0; i < num_vals; i++) {

            min_len += 4;

            if (len < min_len) {

                for (int j = 0; j < i; j++) {

                    osi_free(p_result->get_app_val_txt.p_attrs[j].p_str);

                }

                osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs);

                p_result->get_app_val_txt.num_attr = 0;

                goto length_error;

            }

            BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].attr_id, p);

            BE_STREAM_TO_UINT16(p_result->get_app_val_txt.p_attrs[i].charset_id, p);

            BE_STREAM_TO_UINT8(p_result->get_app_val_txt.p_attrs[i].str_len, p);

            min_len += p_result->get_app_val_txt.p_attrs[i].str_len;

            if (len < min_len) {

                for (int j = 0; j < i; j++) {

                    osi_free(p_result->get_app_val_txt.p_attrs[j].p_str);

                }

                osi_free_and_reset((void**)&p_result->get_app_val_txt.p_attrs);

                p_result->get_app_val_txt.num_attr = 0;

                goto length_error;

            }

            if (p_result->get_app_val_txt.p_attrs[i].str_len != 0) {

                UINT8 *p_str = (UINT8 *)osi_malloc(p_result->get_app_val_txt.p_attrs[i].str_len);

                UINT8 *p_str = (UINT8 *)osi_calloc(p_result->get_app_val_txt.p_attrs[i].str_len);

                BE_STREAM_TO_ARRAY(p, p_str, p_result->get_app_val_txt.p_attrs[i].str_len);

                p_result->get_app_val_txt.p_attrs[i].p_str = p_str;

            } else {
@@ -370,19 +463,40 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
            p_result->get_elem_attrs.num_attr = 0;

            break;

        }

        min_len += 1;

        BE_STREAM_TO_UINT8(num_attrs, p);

        p_result->get_elem_attrs.num_attr = num_attrs;

        if (num_attrs)

        {

            tAVRC_ATTR_ENTRY *p_attrs =

                (tAVRC_ATTR_ENTRY*)osi_malloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY));

                (tAVRC_ATTR_ENTRY*)osi_calloc(num_attrs * sizeof(tAVRC_ATTR_ENTRY));

            for (int i = 0; i < num_attrs; i++) {

                min_len += 8;

                if (len < min_len) {

                    for (int j = 0; j < i; j++) {

                        osi_free(p_attrs[j].name.p_str);

                    }

                    osi_free(p_attrs);

                    p_result->get_elem_attrs.num_attr = 0;

                    goto length_error;

                }

                BE_STREAM_TO_UINT32(p_attrs[i].attr_id, p);

                BE_STREAM_TO_UINT16(p_attrs[i].name.charset_id, p);

                BE_STREAM_TO_UINT16(p_attrs[i].name.str_len, p);

                min_len += p_attrs[i].name.str_len;

                if (len < min_len) {

                    for (int j = 0; j < i; j++) {

                        osi_free(p_attrs[j].name.p_str);

                    }

                    osi_free(p_attrs);

                    p_result->get_elem_attrs.num_attr = 0;

                    goto length_error;

                }

                if (p_attrs[i].name.str_len > 0) {

                    p_attrs[i].name.p_str = (UINT8 *)osi_malloc(p_attrs[i].name.str_len);

                    p_attrs[i].name.p_str = (UINT8 *)osi_calloc(p_attrs[i].name.str_len);

                    BE_STREAM_TO_ARRAY(p, p_attrs[i].name.p_str, p_attrs[i].name.str_len);

                } else {

                    p_attrs[i].name.p_str = NULL;

                }

            }

            p_result->get_elem_attrs.p_attrs = p_attrs;
@@ -395,6 +509,8 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        {

            break;

        }

        min_len += 9;

        if (len < min_len) goto length_error;

        BE_STREAM_TO_UINT32(p_result->get_play_status.song_len, p);

        BE_STREAM_TO_UINT32(p_result->get_play_status.song_pos, p);

        BE_STREAM_TO_UINT8(p_result->get_play_status.status, p);
@@ -404,6 +520,12 @@ static tAVRC_STS avrc_ctrl_pars_vendor_rsp( 
        return AVRC_STS_BAD_CMD;

    }

    return AVRC_STS_NO_ERROR;



length_error:

    android_errorWriteLog(0x534e4554, "111450417");

    AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least %d",

                       __func__, len, min_len);

    return AVRC_STS_INTERNAL_ERR;

}



/*******************************************************************************