Loading system/stack/bnep/bnep_utils.c +63 −23 Original line number Original line Diff line number Diff line Loading @@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup) UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) { { UINT8 control_type; UINT8 control_type; BOOLEAN bad_pkt = FALSE; UINT16 len, ext_len = 0; UINT16 len, ext_len = 0; if (p == NULL || rem_len == NULL) { if (rem_len != NULL) *rem_len = 0; BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p, rem_len); return NULL; } UINT16 rem_len_orig = *rem_len; if (is_ext) if (is_ext) { { if (*rem_len < 1) goto bad_packet_length; ext_len = *p++; ext_len = *p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; } } if (*rem_len < 1) goto bad_packet_length; control_type = *p++; control_type = *p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type); BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", __func__, *rem_len, is_ext, control_type); switch (control_type) switch (control_type) { { case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p); if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length", __func__); goto bad_packet_length; } BNEP_TRACE_ERROR( "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d", __func__, *p); p++; p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; break; break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: case BNEP_SETUP_CONNECTION_REQUEST_MSG: len = *p++; len = *p++; if (*rem_len < ((2 * len) + 1)) if (*rem_len < ((2 * len) + 1)) { { BNEP_TRACE_ERROR( bad_pkt = TRUE; "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length"); __func__); break; goto bad_packet_length; } } if (!is_ext) if (!is_ext) bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); Loading @@ -799,6 +817,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_SETUP_CONNECTION_RESPONSE_MSG: case BNEP_SETUP_CONNECTION_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } if (!is_ext) if (!is_ext) bnep_process_setup_conn_responce (p_bcb, p); bnep_process_setup_conn_responce (p_bcb, p); p += 2; p += 2; Loading @@ -809,9 +833,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) if (*rem_len < (len + 2)) { { bad_pkt = TRUE; BNEP_TRACE_ERROR( BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length"); "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", break; __func__); goto bad_packet_length; } } bnepu_process_peer_filter_set (p_bcb, p, len); bnepu_process_peer_filter_set (p_bcb, p, len); p += len; p += len; Loading @@ -819,6 +844,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } bnepu_process_peer_filter_rsp (p_bcb, p); bnepu_process_peer_filter_rsp (p_bcb, p); p += 2; p += 2; *rem_len = *rem_len - 2; *rem_len = *rem_len - 2; Loading @@ -828,9 +859,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) if (*rem_len < (len + 2)) { { bad_pkt = TRUE; BNEP_TRACE_ERROR( BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length"); "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", break; __func__); goto bad_packet_length; } } bnepu_process_peer_multicast_filter_set (p_bcb, p, len); bnepu_process_peer_multicast_filter_set (p_bcb, p, len); p += len; p += len; Loading @@ -838,32 +870,40 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } bnepu_process_multicast_filter_rsp (p_bcb, p); bnepu_process_multicast_filter_rsp (p_bcb, p); p += 2; p += 2; *rem_len = *rem_len - 2; *rem_len = *rem_len - 2; break; break; default : default : BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type); BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__, control_type); bnep_send_command_not_understood (p_bcb, control_type); bnep_send_command_not_understood (p_bcb, control_type); if (is_ext) if (is_ext) { { if (*rem_len < (ext_len - 1)) { goto bad_packet_length; } p += (ext_len - 1); p += (ext_len - 1); *rem_len -= (ext_len - 1); *rem_len -= (ext_len - 1); } } break; break; } } return p; if (bad_pkt) bad_packet_length: { BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d", BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len); __func__, rem_len_orig, *rem_len); *rem_len = 0; *rem_len = 0; return NULL; return NULL; } } return p; } /******************************************************************************* /******************************************************************************* ** ** Loading Loading
system/stack/bnep/bnep_utils.c +63 −23 Original line number Original line Diff line number Diff line Loading @@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup) UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext) { { UINT8 control_type; UINT8 control_type; BOOLEAN bad_pkt = FALSE; UINT16 len, ext_len = 0; UINT16 len, ext_len = 0; if (p == NULL || rem_len == NULL) { if (rem_len != NULL) *rem_len = 0; BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p, rem_len); return NULL; } UINT16 rem_len_orig = *rem_len; if (is_ext) if (is_ext) { { if (*rem_len < 1) goto bad_packet_length; ext_len = *p++; ext_len = *p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; } } if (*rem_len < 1) goto bad_packet_length; control_type = *p++; control_type = *p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type); BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", __func__, *rem_len, is_ext, control_type); switch (control_type) switch (control_type) { { case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD: BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p); if (*rem_len < 1) { BNEP_TRACE_ERROR( "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length", __func__); goto bad_packet_length; } BNEP_TRACE_ERROR( "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d", __func__, *p); p++; p++; *rem_len = *rem_len - 1; *rem_len = *rem_len - 1; break; break; case BNEP_SETUP_CONNECTION_REQUEST_MSG: case BNEP_SETUP_CONNECTION_REQUEST_MSG: len = *p++; len = *p++; if (*rem_len < ((2 * len) + 1)) if (*rem_len < ((2 * len) + 1)) { { BNEP_TRACE_ERROR( bad_pkt = TRUE; "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length", BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length"); __func__); break; goto bad_packet_length; } } if (!is_ext) if (!is_ext) bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); bnep_process_setup_conn_req (p_bcb, p, (UINT8)len); Loading @@ -799,6 +817,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_SETUP_CONNECTION_RESPONSE_MSG: case BNEP_SETUP_CONNECTION_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } if (!is_ext) if (!is_ext) bnep_process_setup_conn_responce (p_bcb, p); bnep_process_setup_conn_responce (p_bcb, p); p += 2; p += 2; Loading @@ -809,9 +833,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) if (*rem_len < (len + 2)) { { bad_pkt = TRUE; BNEP_TRACE_ERROR( BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length"); "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length", break; __func__); goto bad_packet_length; } } bnepu_process_peer_filter_set (p_bcb, p, len); bnepu_process_peer_filter_set (p_bcb, p, len); p += len; p += len; Loading @@ -819,6 +844,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: case BNEP_FILTER_NET_TYPE_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } bnepu_process_peer_filter_rsp (p_bcb, p); bnepu_process_peer_filter_rsp (p_bcb, p); p += 2; p += 2; *rem_len = *rem_len - 2; *rem_len = *rem_len - 2; Loading @@ -828,9 +859,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len BE_STREAM_TO_UINT16 (len, p); BE_STREAM_TO_UINT16 (len, p); if (*rem_len < (len + 2)) if (*rem_len < (len + 2)) { { bad_pkt = TRUE; BNEP_TRACE_ERROR( BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length"); "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length", break; __func__); goto bad_packet_length; } } bnepu_process_peer_multicast_filter_set (p_bcb, p, len); bnepu_process_peer_multicast_filter_set (p_bcb, p, len); p += len; p += len; Loading @@ -838,32 +870,40 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len break; break; case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG: if (*rem_len < 2) { BNEP_TRACE_ERROR( "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length", __func__); goto bad_packet_length; } bnepu_process_multicast_filter_rsp (p_bcb, p); bnepu_process_multicast_filter_rsp (p_bcb, p); p += 2; p += 2; *rem_len = *rem_len - 2; *rem_len = *rem_len - 2; break; break; default : default : BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type); BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__, control_type); bnep_send_command_not_understood (p_bcb, control_type); bnep_send_command_not_understood (p_bcb, control_type); if (is_ext) if (is_ext) { { if (*rem_len < (ext_len - 1)) { goto bad_packet_length; } p += (ext_len - 1); p += (ext_len - 1); *rem_len -= (ext_len - 1); *rem_len -= (ext_len - 1); } } break; break; } } return p; if (bad_pkt) bad_packet_length: { BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d", BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len); __func__, rem_len_orig, *rem_len); *rem_len = 0; *rem_len = 0; return NULL; return NULL; } } return p; } /******************************************************************************* /******************************************************************************* ** ** Loading
