Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6aedab38 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btm_ble_read_remote_features_complete 

Bug: 254445952
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I25f928cc9fa4b3338b1885412e5f894b4155da71
Change-Id: I25f928cc9fa4b3338b1885412e5f894b4155da71
parent 45e8d2dc

system/stack/btm/btm_ble_gap.cc

+16 −1
Original line number Diff line number Diff line
@@ -3137,9 +3137,14 @@ static void btm_ble_observer_timer_timeout(UNUSED_ATTR void* data) { 
 * Returns          void

 *

 ******************************************************************************/

void btm_ble_read_remote_features_complete(uint8_t* p) {

void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length) {

  uint16_t handle;

  uint8_t status;



  if (length < 3) {

    goto err_out;

  }



  STREAM_TO_UINT8(status, p);

  STREAM_TO_UINT16(handle, p);

  handle = handle & 0x0FFF;  // only 12 bits meaningful
@@ -3154,6 +3159,12 @@ void btm_ble_read_remote_features_complete(uint8_t* p) { 
  }



  if (status == HCI_SUCCESS) {

    // BD_FEATURES_LEN additional bytes are read

    // in acl_set_peer_le_features_from_handle

    if (length < 3 + BD_FEATURES_LEN) {

      goto err_out;

    }



    if (!acl_set_peer_le_features_from_handle(handle, p)) {

      LOG_ERROR(

          "Unable to find existing connection after read remote features");
@@ -3162,6 +3173,10 @@ void btm_ble_read_remote_features_complete(uint8_t* p) { 
  }



  btsnd_hcic_rmt_ver_req(handle);

  return;



err_out:

  LOG_ERROR("bogus event packet, too short");

}



/*******************************************************************************

system/stack/btu/btu_hcif.cc

+1 −1
Original line number Diff line number Diff line
@@ -346,7 +346,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, 
          btu_ble_ll_conn_param_upd_evt(p, hci_evt_len);

          break;

        case HCI_BLE_READ_REMOTE_FEAT_CMPL_EVT:

          btm_ble_read_remote_features_complete(p);

          btm_ble_read_remote_features_complete(p, ble_evt_len);

          break;

        case HCI_BLE_LTK_REQ_EVT: /* received only at peripheral device */

          btu_ble_proc_ltk_req(p);

system/stack/include/ble_hci_link_interface.h

+1 −1
Original line number Diff line number Diff line
@@ -27,7 +27,7 @@ 
void btm_ble_process_adv_pkt(uint8_t len, const uint8_t* p);

void btm_ble_process_ext_adv_pkt(uint8_t len, const uint8_t* p);

void btm_ble_process_phy_update_pkt(uint8_t len, uint8_t* p);

void btm_ble_read_remote_features_complete(uint8_t* p);

void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length);

void btm_le_on_advertising_set_terminated(uint8_t* p, uint16_t length);

extern void btm_ble_write_adv_enable_complete(uint8_t* p);

extern void btm_ble_create_ll_conn_complete(tHCI_STATUS status);

system/test/mock/mock_stack_btm_ble_gap.cc

+1 −1
Original line number Diff line number Diff line
@@ -186,7 +186,7 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, const uint8_t* data) { 
void btm_ble_process_phy_update_pkt(uint8_t len, uint8_t* data) {

  mock_function_count_map[__func__]++;

}

void btm_ble_read_remote_features_complete(uint8_t* p) {

void btm_ble_read_remote_features_complete(uint8_t* p, uint8_t length) {

  mock_function_count_map[__func__]++;

}

void btm_ble_read_remote_name_cmpl(bool status, const RawAddress& bda,