Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d99de9de authored by Stanley Tng's avatar Stanley Tng
Browse files

DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu 

Add check to make sure that data buffer is big enough to read the 2
bytes for length.

Also, fix a regression from the previous CL that checks the buffer length
before doing a memcpy. The previous check is too strict causing valid
sized buffers to be rejected. The length check is incorrect and off by the header size.

Bug: 120665616
Test: Run the SL4A Test for LE CoC, BleCoCTest
Merged-In: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
Change-Id: I30b7a8af11d3a5f974cb39e06b0e3463bebc8e9a
(cherry picked from commit 3deb5ec3)
(cherry picked from commit 1f1d8b97d80d25023c4c7b04d2aa18d367f4158d)
(cherry picked from commit 6b2739f309f7719086eb8201b3e1a35ba60035f4)
parent 2b257de8

system/stack/l2cap/l2c_fcr.c

+12 −2
Original line number Diff line number Diff line
@@ -840,7 +840,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 


    if (p_ccb->is_first_seg)

    {

        if (p_buf->len < sizeof(sdu_length)) {

          L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",

                            __func__, p_buf->len);

          android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);

          /* Discard the buffer */

          osi_free(p_buf);

          return;

        }

        STREAM_TO_UINT16(sdu_length, p);



        /* Check the SDU Length with local MTU size */

        if (sdu_length > p_ccb->local_conn_cfg.mtu)

        {
@@ -849,6 +858,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 
            return;

        }



        p_buf->len -= sizeof(sdu_length);

        p_buf->offset += sizeof(sdu_length);



        if (sdu_length < p_buf->len) {

            L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);

            android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -868,8 +880,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 
        p_data->len = 0;

        p_ccb->ble_sdu_length = sdu_length;

        L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length);

        p_buf->len -= sizeof(sdu_length);

        p_buf->offset += sizeof(sdu_length);

        p_data->offset = 0;

    } else {

      p_data = p_ccb->ble_sdu;