Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bd00b471 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov Committed by android-build-team Robot
Browse files

Add missing AVRCP message length checks inside avrc_msg_cback 

Explicitly check the length of the received message before
accessing the data.

Bug: 111803925
Bug: 79883824
Test: POC scripts
Change-Id: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
Merged-In: I00b1c6bd6dd7e18ac2c469ef2032c7ff10dcaecb
(cherry picked from commit 512c3588)
(cherry picked from commit 4fbef1e9)
parent b8aa4adc

system/stack/avrc/avrc_api.cc

+27 −0
Original line number Original line Diff line number Diff line
@@ -24,6 +24,8 @@ 
#include <base/logging.h>

#include <base/logging.h>

#include <string.h>

#include <string.h>





#include <log/log.h>



#include "avrc_api.h"

#include "avrc_api.h"

#include "avrc_int.h"

#include "avrc_int.h"

#include "bt_common.h"

#include "bt_common.h"
@@ -660,6 +662,13 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, 
    msg.browse.browse_len = p_pkt->len;

    msg.browse.browse_len = p_pkt->len;

    msg.browse.p_browse_pkt = p_pkt;

    msg.browse.p_browse_pkt = p_pkt;

  } else {

  } else {

    if (p_pkt->len < AVRC_AVC_HDR_SIZE) {

      android_errorWriteLog(0x534e4554, "111803925");

      AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",

                         __func__, p_pkt->len, AVRC_AVC_HDR_SIZE);

      osi_free(p_pkt);

      return;

    }

    msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;

    msg.hdr.ctype = p_data[0] & AVRC_CTYPE_MASK;

    AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,

    AVRC_TRACE_DEBUG("%s handle:%d, ctype:%d, offset:%d, len: %d", __func__,

                     handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);

                     handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -693,6 +702,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, 
          p_drop_msg = "auto respond";

          p_drop_msg = "auto respond";

        } else {

        } else {

          /* parse response */

          /* parse response */

          if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {

            AVRC_TRACE_WARNING(

                "%s: message length %d too short: must be at least %d",

                __func__, p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);

            android_errorWriteLog(0x534e4554, "79883824");

            drop = true;

            p_drop_msg = "UNIT_INFO_RSP too short";

            break;

          }

          p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/

          p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/

          msg.unit.unit_type =

          msg.unit.unit_type =

              (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;

              (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -722,6 +740,15 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, 
          p_drop_msg = "auto responded";

          p_drop_msg = "auto responded";

        } else {

        } else {

          /* parse response */

          /* parse response */

          if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {

            AVRC_TRACE_WARNING(

                "%s: message length %d too short: must be at least %d",

                __func__, p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);

            android_errorWriteLog(0x534e4554, "79883824");

            drop = true;

            p_drop_msg = "SUB_UNIT_INFO_RSP too short";

            break;

          }

          p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */

          p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */

          msg.sub.page =

          msg.sub.page =

              (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;

              (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;