Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f4a6f02 authored by Jakub Pawlowski's avatar Jakub Pawlowski Committed by android-build-merger
Browse files

Merge "Add packet length checks in l2cble_process_sig_cmd" into oc-dev 

am: ece63864

Change-Id: I4fd9e4c93bc35fb27c2ef880a3429bdb57245368
parents 44f2c02f ece63864

system/stack/l2cap/l2c_ble.cc

+35 −0
Original line number Diff line number Diff line
@@ -586,6 +586,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
  uint16_t credit;

  p_pkt_end = p + pkt_len;



  if (p + 4 > p_pkt_end) {

    android_errorWriteLog(0x534e4554, "80261585");

    LOG(ERROR) << "invalid read";

    return;

  }



  STREAM_TO_UINT8(cmd_code, p);

  STREAM_TO_UINT8(id, p);

  STREAM_TO_UINT16(cmd_len, p);
@@ -611,6 +617,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_UPDATE_REQ:

      if (p + 8 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -659,6 +671,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

      if (p + 10 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(con_info.psm, p);

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(mtu, p);
@@ -741,6 +759,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      }

      if (p_ccb) {

        L2CAP_TRACE_DEBUG("I remember the connection req");

        if (p + 10 > p_pkt_end) {

          android_errorWriteLog(0x534e4554, "80261585");

          LOG(ERROR) << "invalid read";

          return;

        }



        STREAM_TO_UINT16(p_ccb->remote_cid, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -786,6 +810,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(lcid, p);

      p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);

      if (p_ccb == NULL) {
@@ -819,6 +849,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_DISC_RSP:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(lcid, p);