Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 67a78b01 authored by Jakub Pawlowski's avatar Jakub Pawlowski Committed by android-build-team Robot
Browse files

Add packet length checks in l2cble_process_sig_cmd 

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
(cherry picked from commit c2aea68e)
parent 96b78a7e

system/stack/l2cap/l2c_ble.cc

+35 −0
Original line number Diff line number Diff line
@@ -594,6 +594,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
  uint16_t credit;

  p_pkt_end = p + pkt_len;



  if (p + 4 > p_pkt_end) {

    android_errorWriteLog(0x534e4554, "80261585");

    LOG(ERROR) << "invalid read";

    return;

  }



  STREAM_TO_UINT8(cmd_code, p);

  STREAM_TO_UINT8(id, p);

  STREAM_TO_UINT16(cmd_len, p);
@@ -619,6 +625,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_UPDATE_REQ:

      if (p + 8 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -660,6 +672,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

      if (p + 10 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(con_info.psm, p);

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(mtu, p);
@@ -743,6 +761,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      }

      if (p_ccb) {

        L2CAP_TRACE_DEBUG("I remember the connection req");

        if (p + 10 > p_pkt_end) {

          android_errorWriteLog(0x534e4554, "80261585");

          LOG(ERROR) << "invalid read";

          return;

        }



        STREAM_TO_UINT16(p_ccb->remote_cid, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -788,6 +812,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(lcid, p);

      p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);

      if (p_ccb == NULL) {
@@ -821,6 +851,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_DISC_RSP:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(lcid, p);