Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e8ec5b83 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Fix an OOB bug in BqrVseSubEvt::ParseBqrLinkQualityEvt am: ecd5a3e8 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20684834



Change-Id: I39d48d6b0da8de78150a901a5f1ed20e3e326ad4
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 58463a03 ecd5a3e8

system/btif/include/btif_bqr.h

+2 −0
Original line number Diff line number Diff line
@@ -89,6 +89,8 @@ static constexpr uint16_t kLogDumpEventPerFile = 0x00FF; 
// Total length of all parameters of the link Quality related event except

// Vendor Specific Parameters.

static constexpr uint8_t kLinkQualityParamTotalLen = 48;

// 7.8.116 LE Read ISO Link Quality command

static constexpr uint8_t kISOLinkQualityParamTotalLen = 24;

// Total length of all parameters of the ROOT_INFLAMMATION event except Vendor

// Specific Parameters.

static constexpr uint8_t kRootInflammationParamTotalLen = 3;

system/btif/src/btif_bqr.cc

+21 −7
Original line number Diff line number Diff line
@@ -77,13 +77,27 @@ void BqrVseSubEvt::ParseBqrLinkQualityEvt(uint8_t length, 
  STREAM_TO_UINT32(bqr_link_quality_event_.buffer_underflow_bytes, p_param_buf);



  if (vendor_cap_supported_version >= kBqrIsoVersion) {

    if (length < kLinkQualityParamTotalLen + kISOLinkQualityParamTotalLen) {

      LOG(WARNING) << __func__

                   << ": Parameter total length: " << std::to_string(length)

                   << " is abnormal. "

                   << "vendor_cap_supported_version: "

                   << vendor_cap_supported_version << " "

                   << " (>= "

                   << "kBqrIsoVersion=" << kBqrIsoVersion << "), "

                   << "It should not be shorter than: "

                   << std::to_string(kLinkQualityParamTotalLen +

                                     kISOLinkQualityParamTotalLen);

    } else {

      STREAM_TO_UINT32(bqr_link_quality_event_.tx_total_packets, p_param_buf);

      STREAM_TO_UINT32(bqr_link_quality_event_.tx_unacked_packets, p_param_buf);

      STREAM_TO_UINT32(bqr_link_quality_event_.tx_flushed_packets, p_param_buf);

      STREAM_TO_UINT32(bqr_link_quality_event_.tx_last_subevent_packets,

                       p_param_buf);

      STREAM_TO_UINT32(bqr_link_quality_event_.crc_error_packets, p_param_buf);

    STREAM_TO_UINT32(bqr_link_quality_event_.rx_duplicate_packets, p_param_buf);

      STREAM_TO_UINT32(bqr_link_quality_event_.rx_duplicate_packets,

                       p_param_buf);

    }

  }



  const auto now = system_clock::to_time_t(system_clock::now());