Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d6fb14ae authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

LE Advertising Report parsing enhancements 

Reject invalid data length for advertisement data.
Also, don't attempt to resolve anonymous advertising addresses.

Test: LE scanning tests
Bug: 73193883
Change-Id: I1cb330bc30fdcaebc86527cd2656c9dd7932b318
parent 57659d88

system/stack/btm/btm_ble_gap.cc

+14 −3
Original line number Original line Diff line number Diff line
@@ -1909,13 +1909,20 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) { 




    uint8_t* pkt_data = p;

    uint8_t* pkt_data = p;

    p += pkt_data_len; /* Advance to the the next packet*/

    p += pkt_data_len; /* Advance to the the next packet*/

    if (p > data + data_len) {

      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;

      return;

    }





    if (rssi >= 21 && rssi <= 126) {

    if (rssi >= 21 && rssi <= 126) {

      BTM_TRACE_ERROR("%s: bad rssi value in advertising report: ", __func__,

      BTM_TRACE_ERROR("%s: bad rssi value in advertising report: %d", __func__,

                      pkt_data_len, rssi);

                      rssi);

    }

    }





    if (addr_type != BLE_ADDR_ANONYMOUS) {

      btm_ble_process_adv_addr(bda, &addr_type);

      btm_ble_process_adv_addr(bda, &addr_type);

    }



    btm_ble_process_adv_pkt_cont(event_type, addr_type, bda, primary_phy,

    btm_ble_process_adv_pkt_cont(event_type, addr_type, bda, primary_phy,

                                 secondary_phy, advertising_sid, tx_power, rssi,

                                 secondary_phy, advertising_sid, tx_power, rssi,

                                 periodic_adv_int, pkt_data_len, pkt_data);

                                 periodic_adv_int, pkt_data_len, pkt_data);
@@ -1954,6 +1961,10 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) { 




    uint8_t* pkt_data = p;

    uint8_t* pkt_data = p;

    p += pkt_data_len; /* Advance to the the rssi byte */

    p += pkt_data_len; /* Advance to the the rssi byte */

    if (p > data + data_len - sizeof(rssi)) {

      LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;

      return;

    }





    STREAM_TO_INT8(rssi, p);

    STREAM_TO_INT8(rssi, p);

system/stack/include/bt_types.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -723,6 +723,7 @@ typedef struct { 
#define BLE_ADDR_RANDOM 0x01

#define BLE_ADDR_RANDOM 0x01

#define BLE_ADDR_PUBLIC_ID 0x02

#define BLE_ADDR_PUBLIC_ID 0x02

#define BLE_ADDR_RANDOM_ID 0x03

#define BLE_ADDR_RANDOM_ID 0x03

#define BLE_ADDR_ANONYMOUS 0xFF

typedef uint8_t tBLE_ADDR_TYPE;

typedef uint8_t tBLE_ADDR_TYPE;

#define BLE_ADDR_TYPE_MASK (BLE_ADDR_RANDOM | BLE_ADDR_PUBLIC)

#define BLE_ADDR_TYPE_MASK (BLE_ADDR_RANDOM | BLE_ADDR_PUBLIC)