Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c2aea68e authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Add packet length checks in l2cble_process_sig_cmd 

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
parent 19c96e31

system/stack/l2cap/l2c_ble.cc

+35 −0
Original line number Diff line number Diff line
@@ -583,6 +583,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
  uint16_t credit;

  p_pkt_end = p + pkt_len;



  if (p + 4 > p_pkt_end) {

    android_errorWriteLog(0x534e4554, "80261585");

    LOG(ERROR) << "invalid read";

    return;

  }



  STREAM_TO_UINT8(cmd_code, p);

  STREAM_TO_UINT8(id, p);

  STREAM_TO_UINT16(cmd_len, p);
@@ -608,6 +614,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_UPDATE_REQ:

      if (p + 8 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */

      STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -656,6 +668,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

      if (p + 10 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(con_info.psm, p);

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(mtu, p);
@@ -738,6 +756,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      }

      if (p_ccb) {

        L2CAP_TRACE_DEBUG("I remember the connection req");

        if (p + 10 > p_pkt_end) {

          android_errorWriteLog(0x534e4554, "80261585");

          LOG(ERROR) << "invalid read";

          return;

        }



        STREAM_TO_UINT16(p_ccb->remote_cid, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);

        STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -783,6 +807,12 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }



      STREAM_TO_UINT16(lcid, p);

      p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);

      if (p_ccb == NULL) {
@@ -816,6 +846,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
      break;



    case L2CAP_CMD_DISC_RSP:

      if (p + 4 > p_pkt_end) {

        android_errorWriteLog(0x534e4554, "80261585");

        LOG(ERROR) << "invalid read";

        return;

      }

      STREAM_TO_UINT16(rcid, p);

      STREAM_TO_UINT16(lcid, p);