Fix OOB caused by invalid SMP packet length (a163f9ab) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/smp/smp_act.cc

+34 −0

Original line number	Diff line number	Diff line
		@@ -513,6 +513,14 @@ void smp_proc_pair_cmd(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {

		p_cb->flags \|= SMP_PAIR_FLAG_ENC_AFTER_PAIR;

		if (smp_command_has_invalid_length(p_cb)) {
		tSMP_INT_DATA smp_int_data;
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		android_errorWriteLog(0x534e4554, "111850706");
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		STREAM_TO_UINT8(p_cb->peer_io_caps, p);
		STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
		STREAM_TO_UINT8(p_cb->peer_auth_req, p);
		@@ -780,6 +788,14 @@ void smp_br_process_pairing_command(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {

		p_cb->flags \|= SMP_PAIR_FLAG_ENC_AFTER_PAIR;

		if (smp_command_has_invalid_length(p_cb)) {
		tSMP_INT_DATA smp_int_data;
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		android_errorWriteLog(0x534e4554, "111213909");
		smp_br_state_machine_event(p_cb, SMP_BR_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		STREAM_TO_UINT8(p_cb->peer_io_caps, p);
		STREAM_TO_UINT8(p_cb->peer_oob_flag, p);
		STREAM_TO_UINT8(p_cb->peer_auth_req, p);
		@@ -979,6 +995,15 @@ void smp_proc_id_addr(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		tBTM_LE_PID_KEYS pid_key;

		SMP_TRACE_DEBUG("%s", __func__);

		if (smp_command_has_invalid_parameters(p_cb)) {
		tSMP_INT_DATA smp_int_data;
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		android_errorWriteLog(0x534e4554, "111214770");
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ID, true);

		STREAM_TO_UINT8(pid_key.identity_addr_type, p);
		@@ -1003,6 +1028,15 @@ void smp_proc_srk_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
		tBTM_LE_PCSRK_KEYS le_key;

		SMP_TRACE_DEBUG("%s", __func__);

		if (smp_command_has_invalid_parameters(p_cb)) {
		tSMP_INT_DATA smp_int_data;
		smp_int_data.status = SMP_INVALID_PARAMETERS;
		android_errorWriteLog(0x534e4554, "111214470");
		smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
		return;
		}

		smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_CSRK, true);

		/* save CSRK to security record */

system/stack/smp/smp_int.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -448,6 +448,7 @@ extern void smp_convert_string_to_tk(Octet16* tk, uint32_t passkey);
		extern void smp_mask_enc_key(uint8_t loc_enc_size, Octet16* p_data);
		extern void smp_rsp_timeout(void* data);
		extern void smp_delayed_auth_complete_timeout(void* data);
		extern bool smp_command_has_invalid_length(tSMP_CB* p_cb);
		extern bool smp_command_has_invalid_parameters(tSMP_CB* p_cb);
		extern void smp_reject_unexpected_pairing_command(const RawAddress& bd_addr);
		extern tSMP_ASSO_MODEL smp_select_association_model(tSMP_CB* p_cb);

system/stack/smp/smp_utils.cc

+27 −0

Original line number	Diff line number	Diff line
		@@ -921,6 +921,33 @@ void smp_proc_pairing_cmpl(tSMP_CB* p_cb) {
		if (p_callback) (*p_callback)(SMP_COMPLT_EVT, pairing_bda, &evt_data);
		}

		/*******************************************************************************
		*
		* Function smp_command_has_invalid_length
		*
		* Description Checks if the received SMP command has invalid length
		* It returns true if the command has invalid length.
		*
		* Returns true if the command has invalid length, false otherwise.
		*
		******************************************************************************/
		bool smp_command_has_invalid_length(tSMP_CB* p_cb) {
		uint8_t cmd_code = p_cb->rcvd_cmd_code;

		if ((cmd_code > (SMP_OPCODE_MAX + 1 /* for SMP_OPCODE_PAIR_COMMITM */)) \|\|
		(cmd_code < SMP_OPCODE_MIN)) {
		SMP_TRACE_WARNING("%s: Received command with RESERVED code 0x%02x",
		__func__, cmd_code);
		return true;
		}

		if (!smp_command_has_valid_fixed_length(p_cb)) {
		return true;
		}

		return false;
		}

		/*******************************************************************************
		*
		* Function smp_command_has_invalid_parameters