Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8d26955 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes I83fef3d9,I71cd2f22,Ibe23668a 

* changes:
  Fix OOB in avdt_msg_asmbl
  Fix OOB in sdp_disc_server_rsp
  Fix OOB in btm_ble_vendor_capability_vsc_cmpl_cback
parents d3411b86 72e17e42

system/stack/avdt/avdt_msg.cc

+8 −0
Original line number Diff line number Diff line
@@ -1199,6 +1199,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { 


  /* parse the message header */

  p = (uint8_t*)(p_buf + 1) + p_buf->offset;



  /* Check if is valid length */

  if (p_buf->len < 1) {

    android_errorWriteLog(0x534e4554, "78287084");

    osi_free(p_buf);

    p_ret = NULL;

    return p_ret;

  }

  AVDT_MSG_PRS_PKT_TYPE(p, pkt_type);



  /* quick sanity check on length */

system/stack/btm/btm_ble_gap.cc

+6 −1
Original line number Diff line number Diff line
@@ -58,7 +58,10 @@ 


#define BTM_EXT_BLE_RMT_NAME_TIMEOUT_MS (30 * 1000)

#define MIN_ADV_LENGTH 2

#define BTM_VSC_CHIP_CAPABILITY_RSP_LEN_L_RELEASE 9

#define BTM_VSC_CHIP_CAPABILITY_RSP_LEN 9

#define BTM_VSC_CHIP_CAPABILITY_RSP_LEN_L_RELEASE \

  BTM_VSC_CHIP_CAPABILITY_RSP_LEN

#define BTM_VSC_CHIP_CAPABILITY_RSP_LEN_M_RELEASE 15



namespace {
@@ -495,6 +498,7 @@ static void btm_ble_vendor_capability_vsc_cmpl_cback( 
    BTM_TRACE_DEBUG("%s: Status = 0x%02x (0 is success)", __func__, status);

    return;

  }

  CHECK(p_vcs_cplt_params->param_len > BTM_VSC_CHIP_CAPABILITY_RSP_LEN);

  STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.adv_inst_max, p);

  STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.rpa_offloading, p);

  STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.tot_scan_results_strg, p);
@@ -512,6 +516,7 @@ static void btm_ble_vendor_capability_vsc_cmpl_cback( 


  if (btm_cb.cmn_ble_vsc_cb.version_supported >=

      BTM_VSC_CHIP_CAPABILITY_M_VERSION) {

    CHECK(p_vcs_cplt_params->param_len >= BTM_VSC_CHIP_CAPABILITY_RSP_LEN_M_RELEASE);

    STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.total_trackable_advertisers, p);

    STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.extended_scan_support, p);

    STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.debug_logging_supported, p);

system/stack/sdp/sdp_discovery.cc

+6 −0
Original line number Diff line number Diff line
@@ -230,6 +230,12 @@ void sdp_disc_server_rsp(tCONN_CB* p_ccb, BT_HDR* p_msg) { 
  p = (uint8_t*)(p_msg + 1) + p_msg->offset;

  uint8_t* p_end = p + p_msg->len;



  if (p_msg->len < 1) {

    android_errorWriteLog(0x534e4554, "79883568");

    sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);

    return;

  }



  BE_STREAM_TO_UINT8(rsp_pdu, p);



  p_msg->len--;