Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4d18d5f0 authored by Myles Watson's avatar Myles Watson
Browse files

DO NOT MERGE: MCAP: Check response length in mca_ccb_hdl_rsp 

Bug: 116319076
Test: Send a short MCAP response
Change-Id: I0452f7d2c0f4ecccc7a6501773e26b403b116179
parent 88268c3a

system/stack/mcap/mca_cact.cc

+14 −3
Original line number Original line Diff line number Diff line
@@ -451,11 +451,22 @@ void mca_ccb_hdl_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) { 
  tMCA_RESULT result = MCA_BAD_HANDLE;

  tMCA_RESULT result = MCA_BAD_HANDLE;

  tMCA_TC_TBL* p_tbl;

  tMCA_TC_TBL* p_tbl;





  if (p_ccb->p_tx_req) {

  if (p_pkt->len < sizeof(evt_data.hdr.op_code) +

                       sizeof(evt_data.rsp.rsp_code) +

                       sizeof(evt_data.hdr.mdl_id)) {

    android_errorWriteLog(0x534e4554, "116319076");

    MCA_TRACE_ERROR("%s: Response packet is too short", __func__);

  } else if (p_ccb->p_tx_req) {

    /* verify that the received response matches the sent request */

    /* verify that the received response matches the sent request */

    p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;

    p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;

    evt_data.hdr.op_code = *p++;

    evt_data.hdr.op_code = *p++;

    if ((evt_data.hdr.op_code == 0) ||

    if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) &&

        (p_pkt->len <

         sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) +

             sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg))) {

      android_errorWriteLog(0x534e4554, "116319076");

      MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__);

    } else if ((evt_data.hdr.op_code == 0) ||

               ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {

               ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {

      evt_data.rsp.rsp_code = *p++;

      evt_data.rsp.rsp_code = *p++;

      mca_stop_timer(p_ccb);

      mca_stop_timer(p_ccb);