Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a3c6fc61 authored by Hui Peng's avatar Hui Peng
Browse files

Add validation on sdp attr type and size in hidh_api.cc 

Bug: 263958603
Test: atest net_test_stack_hid
Ignore-AOSP-First: security
Tag: #security

Merged-In: Ia2e8e588ad890b531b94e2fca84279de603dcc05
Change-Id: Ia2e8e588ad890b531b94e2fca84279de603dcc05
(cherry picked from commit 5715e465)
parent b7c4b272

system/stack/hid/hidh_api.cc

+44 −13
Original line number Diff line number Diff line
@@ -78,6 +78,7 @@ void hidh_get_str_attr(tSDP_DISC_REC* p_rec, uint16_t attr_id, uint16_t max_len, 


  p_attr = SDP_FindAttributeInRec(p_rec, attr_id);

  if (p_attr != NULL) {

    if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

      name_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

      if (name_len < max_len) {

        memcpy(str, (char*)p_attr->attr_value.v.array, name_len);
@@ -86,6 +87,10 @@ void hidh_get_str_attr(tSDP_DISC_REC* p_rec, uint16_t attr_id, uint16_t max_len, 
        memcpy(str, (char*)p_attr->attr_value.v.array, max_len - 1);

        str[max_len - 1] = '\0';

      }

    } else {

      str[0] = '\0';

      LOG_ERROR("attr type not str!!");

    }

  } else

    str[0] = '\0';

}
@@ -134,36 +139,48 @@ static void hidh_search_callback(tSDP_RESULT sdp_result) { 


  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_VIRTUAL_CABLE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_VIRTUAL_CABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_RECONNECT_INITIATE)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_RECONN_INIT;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_NORMALLY_CONNECTABLE)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_NORMALLY_CONNECTABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_SDP_DISABLE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_SDP_DISABLE;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_BATTERY_POWER)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_BATTERY_POWER;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_REMOTE_WAKE)) !=

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == BOOLEAN_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1 &&

      (p_attr->attr_value.v.u8)) {

    attr_mask |= HID_REMOTE_WAKE;

  }
@@ -176,40 +193,54 @@ static void hidh_search_callback(tSDP_RESULT sdp_result) { 
                    p_nvi->prov_name);



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_DEVICE_RELNUM)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    p_nvi->rel_num = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_COUNTRY_CODE)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

    p_nvi->ctry_code = p_attr->attr_value.v.u8;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_DEVICE_SUBCLASS)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 1) {

    p_nvi->sub_class = p_attr->attr_value.v.u8;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_PARSER_VERSION)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    p_nvi->hpars_ver = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_LINK_SUPERVISION_TO)) != NULL)) {

            p_rec, ATTR_ID_HID_LINK_SUPERVISION_TO)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SUP_TOUT_AVLBL;

    p_nvi->sup_timeout = p_attr->attr_value.v.u16;

  }



  if (((p_attr = SDP_FindAttributeInRec(p_rec, ATTR_ID_HID_SSR_HOST_MAX_LAT)) !=

       NULL)) {

       NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SSR_MAX_LATENCY;

    p_nvi->ssr_max_latency = p_attr->attr_value.v.u16;

  } else

    p_nvi->ssr_max_latency = HID_SSR_PARAM_INVALID;



  if (((p_attr = SDP_FindAttributeInRec(

            p_rec, ATTR_ID_HID_SSR_HOST_MIN_TOUT)) != NULL)) {

            p_rec, ATTR_ID_HID_SSR_HOST_MIN_TOUT)) != NULL) &&

      SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

      SDP_DISC_ATTR_LEN(p_attr->attr_len_type) >= 2) {

    attr_mask |= HID_SSR_MIN_TOUT;

    p_nvi->ssr_min_tout = p_attr->attr_value.v.u16;

  } else