Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d52336f authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btm_ble_rand_enc_complete

Bug: 260569449
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I096fb985f025908f9d68d2735b9f98515b04cfb9
Change-Id: I096fb985f025908f9d68d2735b9f98515b04cfb9
parent 362a9148
Loading
Loading
Loading
Loading
+16 −1
Original line number Diff line number Diff line
@@ -1012,7 +1012,8 @@ tL2CAP_LE_RESULT_CODE btm_ble_start_sec_check(const RawAddress& bd_addr,
 * Returns          void
 *
 ******************************************************************************/
void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len,
                               uint16_t op_code,
                               tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
  tBTM_RAND_ENC params;
  uint8_t* p_dest = params.param_buf;
@@ -1023,6 +1024,11 @@ void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,

  /* If there was a callback address for vcs complete, call it */
  if (p_enc_cplt_cback && p) {

    if (evt_len < 1) {
      goto err_out;
    }

    /* Pass paramters to the callback function */
    STREAM_TO_UINT8(params.status, p); /* command status */

@@ -1034,12 +1040,21 @@ void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
      else
        params.param_len = OCTET16_LEN;

      if (evt_len < 1 + params.param_len) {
        goto err_out;
      }

      /* Fetch return info from HCI event message */
      memcpy(p_dest, p, params.param_len);
    }
    if (p_enc_cplt_cback) /* Call the Encryption complete callback function */
      (*p_enc_cplt_cback)(&params);
  }

  return;

err_out:
  BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);
}

/*******************************************************************************
+1 −1
Original line number Diff line number Diff line
@@ -1229,7 +1229,7 @@ static void btu_hcif_hdl_command_complete(uint16_t opcode, uint8_t* p,
    /* BLE Commands sComplete*/
    case HCI_BLE_RAND:
    case HCI_BLE_ENCRYPT:
      btm_ble_rand_enc_complete(p, opcode, (tBTM_RAND_ENC_CB*)p_cplt_cback);
      btm_ble_rand_enc_complete(p, evt_len, opcode, (tBTM_RAND_ENC_CB*)p_cplt_cback);
      break;

    case HCI_BLE_READ_ADV_CHNL_TX_POWER:
+2 −1
Original line number Diff line number Diff line
@@ -34,7 +34,8 @@ extern void btm_ble_create_ll_conn_complete(tHCI_STATUS status);
extern void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8],
                                uint16_t ediv);
extern void btm_ble_test_command_complete(uint8_t* p);
extern void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
extern void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len,
                                      uint16_t op_code,
                                      tBTM_RAND_ENC_CB* p_enc_cplt_cback);
extern bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr,
                                               tBLE_ADDR_TYPE* p_addr_type,
+1 −1
Original line number Diff line number Diff line
@@ -226,7 +226,7 @@ void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk,
                               const Octet16& stk) {
  mock_function_count_map[__func__]++;
}
void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,
void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len, uint16_t op_code,
                               tBTM_RAND_ENC_CB* p_enc_cplt_cback) {
  mock_function_count_map[__func__]++;
}