Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8db08060 authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Fix potential buffer overflow and uninitialized read in reassemble_and_dispatch_iso 

Tag: #security
Test: compilation
Bug: 188673156
Change-Id: Id9f2acfde05da681c82adc25d602cc48a2bc5df9
parent 5391c44b

system/hci/src/packet_fragmenter.cc

+16 −2
Original line number Diff line number Diff line
@@ -254,8 +254,10 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) { 
        return;

      }



      if ((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) &&

          (iso_full_len != packet->len)) {

      if (((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) &&

           (iso_full_len != packet->len)) ||

          ((boundary_flag == HCI_ISO_BF_FIRST_FRAGMENTED_PACKET) &&

           (iso_full_len <= packet->len))) {

        LOG_ERROR("%s corrupted ISO frame", __func__);

        return;

      }
@@ -324,6 +326,18 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) { 
        return;

      }



      if (partial_packet->len !=

          partial_packet->offset + packet->len - HCI_ISO_PREAMBLE_SIZE) {

        LOG_ERROR(

            "%s got last fragment, but it doesn't fill up the whole packet of "

            "size %d",

            __func__, partial_packet->len);

        buffer_allocator->free(packet);

        partial_iso_packets.erase(map_iter);

        buffer_allocator->free(partial_packet);

        return;

      }



      partial_packet->layer_specific |= BT_ISO_HDR_OFFSET_POINTS_DATA;

      partial_packet->offset = HCI_ISO_PREAMBLE_SIZE;

      if (partial_packet->layer_specific & BT_ISO_HDR_CONTAINS_TS)