Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5cab7c92 authored by Stanley Tng's avatar Stanley Tng
Browse files

A security fix to check buffer length in l2c_lcc_proc_pdu 

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
parent 2416804a

system/stack/l2cap/l2c_fcr.cc

+10 −1
Original line number Diff line number Diff line
@@ -835,7 +835,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
  }



  if (p_ccb->is_first_seg) {

    if (p_buf->len < sizeof(sdu_length)) {

      L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",

                        __func__, p_buf->len);

      android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);

      /* Discard the buffer */

      osi_free(p_buf);

      return;

    }

    STREAM_TO_UINT16(sdu_length, p);



    /* Check the SDU Length with local MTU size */

    if (sdu_length > p_ccb->local_conn_cfg.mtu) {

      /* Discard the buffer */
@@ -844,6 +853,7 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
    }



    p_buf->len -= sizeof(sdu_length);

    p_buf->offset += sizeof(sdu_length);



    if (sdu_length < p_buf->len) {

      L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
@@ -863,7 +873,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { 
    p_data->len = 0;

    p_ccb->ble_sdu_length = sdu_length;

    L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length);

    p_buf->offset += sizeof(sdu_length);

    p_data->offset = 0;



  } else {