Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d8d95291 authored by Hui Peng's avatar Hui Peng Committed by Android Build Coastguard Worker
Browse files

Fix multiple OOB bugs resulted from tx mtu in EATT 

The tx mtu in EATT can be controlled by remote device. With malicious
mtu values, it is possible to trigger integer overflow and
OOB write at multiple places (see the bug below).

This fix enforces a max tx mtu in EATT.

Bug: 271335899
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea76b7d99e6366e2043c5621eda630d559104d36)
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
parent 24a10ec6

system/stack/eatt/eatt.h

+9 −3
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ 


#pragma once



#include <algorithm>

#include <queue>



#include "stack/gatt/gatt_int.h"
@@ -24,6 +25,7 @@ 


#define EATT_MIN_MTU_MPS (64)

#define EATT_DEFAULT_MTU (256)

#define EATT_MAX_TX_MTU  (1024)



namespace bluetooth {

namespace eatt {
@@ -58,12 +60,13 @@ class EattChannel { 
  EattChannel(RawAddress& bda, uint16_t cid, uint16_t tx_mtu, uint16_t rx_mtu)

      : bda_(bda),

        cid_(cid),

        tx_mtu_(tx_mtu),

        rx_mtu_(rx_mtu),

        state_(EattChannelState::EATT_CHANNEL_PENDING),

        indicate_handle_(0),

        ind_ack_timer_(NULL),

        ind_confirmation_timer_(NULL) {}

        ind_confirmation_timer_(NULL) {

    EattChannelSetTxMTU(tx_mtu);

  }



  ~EattChannel() {

    if (ind_ack_timer_ != NULL) {
@@ -92,7 +95,10 @@ class EattChannel { 
    }

    state_ = state;

  }

  void EattChannelSetTxMTU(uint16_t tx_mtu) { this->tx_mtu_ = tx_mtu; }



  void EattChannelSetTxMTU(uint16_t tx_mtu) {

    this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);

  }

};



/* Interface class */

system/stack/eatt/eatt_impl.h

+1 −1
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ struct eatt_impl { 
    if (is_local_cfg)

      channel->rx_mtu_ = p_cfg->mtu;

    else

      channel->tx_mtu_ = p_cfg->mtu;

      channel->EattChannelSetTxMTU(p_cfg->mtu);



    /* Go back to open state */

    channel->EattChannelSetState(EattChannelState::EATT_CHANNEL_OPENED);