Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b6a7e27 authored by Jakub Pawlowski's avatar Jakub Pawlowski Committed by android-build-merger
Browse files

Merge "Add packet length checks in l2cble_process_sig_cmd" into oc-dev am: ece63864 

am: 9f4a6f02

Change-Id: I7c5e86edf816862b61974c50f91c184afcab51cc
parents 6d0912df 9f4a6f02

system/stack/l2cap/l2c_ble.cc

+35 −0
Original line number Diff line number Diff line
@@ -574,6 +574,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
  uint16_t credit;

  p_pkt_end = p + pkt_len;



  if (p + 4 > p_pkt_end) {

    android_errorWriteLog(0x534e4554, "80261585");

    LOG(ERROR) << "invalid read";

    return;

  }



  STREAM_TO_UINT8(cmd_code, p);

  STREAM_TO_UINT8(id, p);

  STREAM_TO_UINT16(cmd_len, p);
@@ -599,6 +605,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_UPDATE_REQ:

      if (p + 8 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -647,6 +659,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

      if (p + 10 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(con_info.psm, p);

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(mtu, p);
@@ -730,6 +748,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      }

      if (p_ccb) {

        L2CAP_TRACE_DEBUG("I remember the connection req");

        if (p + 10 > p_pkt_end) {

          android_errorWriteLog(0x534e4554, "80261585");

          LOG(ERROR) << "invalid read";

          return;

        }



        STREAM_TO_UINT16(p_ccb->remote_cid, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -775,6 +799,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(lcid, p);

      p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);

      if (p_ccb == NULL) {
@@ -808,6 +838,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_DISC_RSP:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(lcid, p);