Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f785bad1 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov Committed by android-build-merger
Browse files

Merge "Add missing packet length checks while parsing BNEP control packets"...

Merge "Add missing packet length checks while parsing BNEP control packets" into mnc-dev am: dece8b7d am: 39fc1e75 am: 4d00addc am: 1bd4a09e am: 43ed21e1 am: b565ccc8 am: 1d915af1
am: 7e10cae0

Change-Id: Icdfb4c0ff269f4ea378170f7be4a22d3921b18be
parents ce52a853 7e10cae0
Loading
Loading
Loading
Loading
+63 −23
Original line number Original line Diff line number Diff line
@@ -762,35 +762,53 @@ void bnep_process_setup_conn_responce (tBNEP_CONN *p_bcb, UINT8 *p_setup)
UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext)
UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len, BOOLEAN is_ext)
{
{
    UINT8       control_type;
    UINT8       control_type;
    BOOLEAN     bad_pkt = FALSE;
    UINT16      len, ext_len = 0;
    UINT16      len, ext_len = 0;


    if (p == NULL || rem_len == NULL) {
        if (rem_len != NULL) *rem_len = 0;
        BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
                         rem_len);
        return NULL;
    }
    UINT16 rem_len_orig = *rem_len;

    if (is_ext)
    if (is_ext)
    {
    {
        if (*rem_len < 1) goto bad_packet_length;
        ext_len = *p++;
        ext_len = *p++;
        *rem_len = *rem_len - 1;
        *rem_len = *rem_len - 1;
    }
    }


    if (*rem_len < 1) goto bad_packet_length;
    control_type = *p++;
    control_type = *p++;
    *rem_len = *rem_len - 1;
    *rem_len = *rem_len - 1;


    BNEP_TRACE_EVENT ("BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d", *rem_len, is_ext, control_type);
    BNEP_TRACE_EVENT("%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
                     __func__, *rem_len, is_ext, control_type);


    switch (control_type)
    switch (control_type)
    {
    {
    case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
    case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
        BNEP_TRACE_ERROR ("BNEP Received Cmd not understood for ctl pkt type: %d", *p);
        if (*rem_len < 1) {
            BNEP_TRACE_ERROR(
              "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
              __func__);
            goto bad_packet_length;
        }
        BNEP_TRACE_ERROR(
          "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
          __func__, *p);
        p++;
        p++;
        *rem_len = *rem_len - 1;
        *rem_len = *rem_len - 1;
        break;
        break;


    case BNEP_SETUP_CONNECTION_REQUEST_MSG:
    case BNEP_SETUP_CONNECTION_REQUEST_MSG:
        len = *p++;
        len = *p++;
        if (*rem_len < ((2 * len) + 1))
        if (*rem_len < ((2 * len) + 1)) {
        {
            BNEP_TRACE_ERROR(
            bad_pkt = TRUE;
              "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
            BNEP_TRACE_ERROR ("BNEP Received Setup message with bad length");
              __func__);
            break;
            goto bad_packet_length;
        }
        }
        if (!is_ext)
        if (!is_ext)
            bnep_process_setup_conn_req (p_bcb, p, (UINT8)len);
            bnep_process_setup_conn_req (p_bcb, p, (UINT8)len);
@@ -799,6 +817,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
        break;
        break;


    case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
    case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
        if (*rem_len < 2) {
            BNEP_TRACE_ERROR(
              "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
              __func__);
            goto bad_packet_length;
        }
        if (!is_ext)
        if (!is_ext)
            bnep_process_setup_conn_responce (p_bcb, p);
            bnep_process_setup_conn_responce (p_bcb, p);
        p += 2;
        p += 2;
@@ -809,9 +833,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
        BE_STREAM_TO_UINT16 (len, p);
        BE_STREAM_TO_UINT16 (len, p);
        if (*rem_len < (len + 2))
        if (*rem_len < (len + 2))
        {
        {
            bad_pkt = TRUE;
            BNEP_TRACE_ERROR(
            BNEP_TRACE_ERROR ("BNEP Received Filter set message with bad length");
              "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
            break;
              __func__);
            goto bad_packet_length;
        }
        }
        bnepu_process_peer_filter_set (p_bcb, p, len);
        bnepu_process_peer_filter_set (p_bcb, p, len);
        p += len;
        p += len;
@@ -819,6 +844,12 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
        break;
        break;


    case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
    case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
        if (*rem_len < 2) {
            BNEP_TRACE_ERROR(
              "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
              __func__);
            goto bad_packet_length;
        }
        bnepu_process_peer_filter_rsp (p_bcb, p);
        bnepu_process_peer_filter_rsp (p_bcb, p);
        p += 2;
        p += 2;
        *rem_len = *rem_len - 2;
        *rem_len = *rem_len - 2;
@@ -828,9 +859,10 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
        BE_STREAM_TO_UINT16 (len, p);
        BE_STREAM_TO_UINT16 (len, p);
        if (*rem_len < (len + 2))
        if (*rem_len < (len + 2))
        {
        {
            bad_pkt = TRUE;
            BNEP_TRACE_ERROR(
            BNEP_TRACE_ERROR ("BNEP Received Multicast Filter Set message with bad length");
              "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
            break;
              __func__);
            goto bad_packet_length;
        }
        }
        bnepu_process_peer_multicast_filter_set (p_bcb, p, len);
        bnepu_process_peer_multicast_filter_set (p_bcb, p, len);
        p += len;
        p += len;
@@ -838,32 +870,40 @@ UINT8 *bnep_process_control_packet (tBNEP_CONN *p_bcb, UINT8 *p, UINT16 *rem_len
        break;
        break;


    case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
    case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
        if (*rem_len < 2) {
            BNEP_TRACE_ERROR(
              "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
              __func__);
            goto bad_packet_length;
        }
        bnepu_process_multicast_filter_rsp (p_bcb, p);
        bnepu_process_multicast_filter_rsp (p_bcb, p);
        p += 2;
        p += 2;
        *rem_len = *rem_len - 2;
        *rem_len = *rem_len - 2;
        break;
        break;


    default :
    default :
        BNEP_TRACE_ERROR ("BNEP - bad ctl pkt type: %d", control_type);
        BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
                         control_type);
        bnep_send_command_not_understood (p_bcb, control_type);
        bnep_send_command_not_understood (p_bcb, control_type);
        if (is_ext)
        if (is_ext)
        {
        {
            if (*rem_len < (ext_len - 1)) {
                goto bad_packet_length;
            }
            p += (ext_len - 1);
            p += (ext_len - 1);
            *rem_len -= (ext_len - 1);
            *rem_len -= (ext_len - 1);
        }
        }
        break;
        break;
    }
    }
    return p;


    if (bad_pkt)
bad_packet_length:
    {
    BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
        BNEP_TRACE_ERROR ("BNEP - bad ctl pkt length: %d", *rem_len);
                     __func__, rem_len_orig, *rem_len);
    *rem_len = 0;
    *rem_len = 0;
    return NULL;
    return NULL;
}
}


    return p;
}



/*******************************************************************************
/*******************************************************************************
**
**