Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d52336f authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btm_ble_rand_enc_complete 

Bug: 260569449
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I096fb985f025908f9d68d2735b9f98515b04cfb9
Change-Id: I096fb985f025908f9d68d2735b9f98515b04cfb9
parent 362a9148

system/stack/btm/btm_ble.cc

+16 −1
Original line number Diff line number Diff line
@@ -1012,7 +1012,8 @@ tL2CAP_LE_RESULT_CODE btm_ble_start_sec_check(const RawAddress& bd_addr, 
 * Returns          void

 *

 ******************************************************************************/

void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,

void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len,

                               uint16_t op_code,

                               tBTM_RAND_ENC_CB* p_enc_cplt_cback) {

  tBTM_RAND_ENC params;

  uint8_t* p_dest = params.param_buf;
@@ -1023,6 +1024,11 @@ void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code, 


  /* If there was a callback address for vcs complete, call it */

  if (p_enc_cplt_cback && p) {



    if (evt_len < 1) {

      goto err_out;

    }



    /* Pass paramters to the callback function */

    STREAM_TO_UINT8(params.status, p); /* command status */
@@ -1034,12 +1040,21 @@ void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code, 
      else

        params.param_len = OCTET16_LEN;



      if (evt_len < 1 + params.param_len) {

        goto err_out;

      }



      /* Fetch return info from HCI event message */

      memcpy(p_dest, p, params.param_len);

    }

    if (p_enc_cplt_cback) /* Call the Encryption complete callback function */

      (*p_enc_cplt_cback)(&params);

  }



  return;



err_out:

  BTM_TRACE_ERROR("%s malformatted event packet, too short", __func__);

}



/*******************************************************************************

system/stack/btu/btu_hcif.cc

+1 −1
Original line number Diff line number Diff line
@@ -1229,7 +1229,7 @@ static void btu_hcif_hdl_command_complete(uint16_t opcode, uint8_t* p, 
    /* BLE Commands sComplete*/

    case HCI_BLE_RAND:

    case HCI_BLE_ENCRYPT:

      btm_ble_rand_enc_complete(p, opcode, (tBTM_RAND_ENC_CB*)p_cplt_cback);

      btm_ble_rand_enc_complete(p, evt_len, opcode, (tBTM_RAND_ENC_CB*)p_cplt_cback);

      break;



    case HCI_BLE_READ_ADV_CHNL_TX_POWER:

system/stack/include/ble_hci_link_interface.h

+2 −1
Original line number Diff line number Diff line
@@ -34,7 +34,8 @@ extern void btm_ble_create_ll_conn_complete(tHCI_STATUS status); 
extern void btm_ble_ltk_request(uint16_t handle, uint8_t rand[8],

                                uint16_t ediv);

extern void btm_ble_test_command_complete(uint8_t* p);

extern void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,

extern void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len,

                                      uint16_t op_code,

                                      tBTM_RAND_ENC_CB* p_enc_cplt_cback);

extern bool btm_identity_addr_to_random_pseudo(RawAddress* bd_addr,

                                               tBLE_ADDR_TYPE* p_addr_type,

system/test/mock/mock_stack_btm_ble.cc

+1 −1
Original line number Diff line number Diff line
@@ -226,7 +226,7 @@ void btm_ble_ltk_request_reply(const RawAddress& bda, bool use_stk, 
                               const Octet16& stk) {

  mock_function_count_map[__func__]++;

}

void btm_ble_rand_enc_complete(uint8_t* p, uint16_t op_code,

void btm_ble_rand_enc_complete(uint8_t* p, uint16_t evt_len, uint16_t op_code,

                               tBTM_RAND_ENC_CB* p_enc_cplt_cback) {

  mock_function_count_map[__func__]++;

}