Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 96f3400b authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] DO NOT MERGE: Add missing AVRCP message length checks inside... 

[automerger] DO NOT MERGE: Add missing AVRCP message length checks inside avrc_msg_cback am: b2a66cfb am: 772be126 am: 0ad40dca

Change-Id: I474abf5e66800878b06f5dff40925259a11b6f90
parents 63860c5d 0ad40dca

system/stack/avrc/avrc_api.c

+27 −0
Original line number Diff line number Diff line
@@ -24,6 +24,8 @@ 
#include <assert.h>

#include <string.h>



#include <log/log.h>



#include "bt_common.h"

#include "avrc_api.h"

#include "avrc_int.h"
@@ -565,6 +567,13 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, 
    p_data  = (UINT8 *)(p_pkt+1) + p_pkt->offset;

    memset(&msg, 0, sizeof(tAVRC_MSG) );

    {

        if (p_pkt->len < AVRC_AVC_HDR_SIZE) {

            android_errorWriteLog(0x534e4554, "111803925");

            AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",

                               __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);

            osi_free(p_pkt);

            return;

        }

        msg.hdr.ctype           = p_data[0] & AVRC_CTYPE_MASK;

        AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d",

                handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -603,6 +612,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, 
            else

            {

                /* parse response */

                if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {

                    AVRC_TRACE_WARNING(

                        "%s: message length %d too short: must be at least %d",

                        __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);

                    android_errorWriteLog(0x534e4554, "79883824");

                    drop = TRUE;

                    p_drop_msg = "UNIT_INFO_RSP too short";

                    break;

                }

                p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/

                msg.unit.unit_type  = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;

                msg.unit.unit       = *p_data & AVRC_SUBID_MASK;
@@ -634,6 +652,15 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr, 
            else

            {

                /* parse response */

                if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {

                    AVRC_TRACE_WARNING(

                        "%s: message length %d too short: must be at least %d",

                        __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);

                    android_errorWriteLog(0x534e4554, "79883824");

                    drop = TRUE;

                    p_drop_msg = "SUB_UNIT_INFO_RSP too short";

                    break;

                }

                p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */

                msg.sub.page    = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;

                xx      = 0;