Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4dddbdda authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Fix OOB read in bta_av_setconfig_rej 

The bta_av_config_ind function in bta_av_aact.cc makes a call in some
user journeys to bta_av_setconfig_rej, constructing its p_data argument
(a union datatype) as a tBTA_AV_CI_SETCONFIG.  This is a valid member of
the union, but bta_av_setconfig_rej makes the assumption that the
variable being passed has been set up as a tBTA_AV_STR_MSG, which is not
true in this case.  This causes OOB access.

Draw the required data instead from the stream control block, which
should not be subject to this confusion.

Bug: 260230151
Bug: 341754333
Flag: bta_av_setconfig_rej_type_confusion
Test: m libbluetooth
Ignore-AOSP-First: security
Tag: #security
Change-Id: Id6cdb2b5a5e0b25d0926a83d09b68c483bd0df98
parent 26ba3a24

system/bta/av/bta_av_aact.cc

+20 −7
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ 


#include <base/strings/stringprintf.h>

#include <bluetooth/log.h>

#include <com_android_bluetooth_flags.h>



#include <cstdint>

#include <cstring>
@@ -1816,13 +1817,25 @@ void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { 
            p_scb->avdt_handle, p_scb->hndl);

  AVDT_ConfigRsp(p_scb->avdt_handle, p_scb->avdt_label, AVDT_ERR_UNSUP_CFG, 0);



  tBTA_AV bta_av_data = {

  tBTA_AV bta_av_data;



  if (com::android::bluetooth::flags::bta_av_setconfig_rej_type_confusion()) {

    bta_av_data = {

        .reject =

            {

                .bd_addr = p_scb->PeerAddress(),

                .hndl = p_scb->hndl,

            },

    };

  } else {

    bta_av_data = {

        .reject =

            {

                .bd_addr = p_data->str_msg.bd_addr,

                .hndl = p_scb->hndl,

            },

    };

  }



  (*bta_av_cb.p_cback)(BTA_AV_REJECT_EVT, &bta_av_data);

}