Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5a6cd6ec authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Include advertising packet header size in boundary check 

Malformed packet from controller could potentially trigger OOB read

Bug: 180422331
Change-Id: Iefbde16ab5b8f78ba308b1dcc7b324ac443e4077
parent 2165c2a6

system/stack/btm/btm_ble_gap.cc

+4 −2
Original line number Diff line number Diff line
@@ -1738,8 +1738,9 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { 
  /* Extract the number of reports in this event. */

  STREAM_TO_UINT8(num_reports, p);



  constexpr int extended_report_header_size = 24;

  while (num_reports--) {

    if (p > data + data_len) {

    if (p + extended_report_header_size > data + data_len) {

      // TODO(jpawlowski): we should crash the stack here

      BTM_TRACE_ERROR(

          "Malformed LE Extended Advertising Report Event from controller - "
@@ -1800,8 +1801,9 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { 
  /* Extract the number of reports in this event. */

  STREAM_TO_UINT8(num_reports, p);



  constexpr int report_header_size = 10;

  while (num_reports--) {

    if (p > data + data_len) {

    if (p + report_header_size > data + data_len) {

      // TODO(jpawlowski): we should crash the stack here

      BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");

      return;