mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-11 15:39:28 -05:00
92 lines
3.2 KiB
Diff
92 lines
3.2 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Brian Delwiche <delwiche@google.com>
|
||
|
Date: Tue, 23 May 2023 23:23:11 +0000
|
||
|
Subject: [PATCH] Fix some OOB errors in BTM parsing
|
||
|
|
||
|
Some HCI BLE events are missing bounds checks, leading to possible OOB
|
||
|
access. Add the appropriate bounds checks on the packets.
|
||
|
|
||
|
Bug: 279169188
|
||
|
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
|
||
|
Tag: #security
|
||
|
Ignore-AOSP-First: Security
|
||
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:949eb6b355f1bdcfb5567ebe1b7f00a61b6fb066)
|
||
|
Merged-In: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
|
||
|
Change-Id: Icf2953c687d9c4e2ca9629474151b8deab6c5f57
|
||
|
---
|
||
|
stack/btm/btm_ble_gap.c | 25 ++++++++++++++++++-------
|
||
|
stack/btu/btu_hcif.c | 7 +++++++
|
||
|
2 files changed, 25 insertions(+), 7 deletions(-)
|
||
|
|
||
|
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
|
||
|
index a758f991f..591034ddf 100644
|
||
|
--- a/stack/btm/btm_ble_gap.c
|
||
|
+++ b/stack/btm/btm_ble_gap.c
|
||
|
@@ -2687,20 +2687,28 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||
|
UINT8 *p = data;
|
||
|
UINT8 evt_type, addr_type, num_reports, pkt_data_len;
|
||
|
INT8 rssi;
|
||
|
+ size_t bytes_to_process;
|
||
|
|
||
|
/* Only process the results if the inquiry is still active */
|
||
|
if (!BTM_BLE_IS_SCAN_ACTIVE(btm_cb.ble_ctr_cb.scan_activity))
|
||
|
return;
|
||
|
|
||
|
+ bytes_to_process = 1;
|
||
|
+
|
||
|
+ if (data_len < bytes_to_process) {
|
||
|
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for num reports");
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
/* Extract the number of reports in this event. */
|
||
|
STREAM_TO_UINT8(num_reports, p);
|
||
|
|
||
|
while (num_reports--)
|
||
|
{
|
||
|
- if (p > data + data_len)
|
||
|
- {
|
||
|
- // TODO(jpawlowski): we should crash the stack here
|
||
|
- BTM_TRACE_ERROR("Malformed LE Advertising Report Event from controller");
|
||
|
+ bytes_to_process += 9;
|
||
|
+
|
||
|
+ if (data_len < bytes_to_process) {
|
||
|
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for metadata");
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
@@ -2712,9 +2720,12 @@ void btm_ble_process_adv_pkt (UINT8 data_len, UINT8 *data)
|
||
|
|
||
|
UINT8 *pkt_data = p;
|
||
|
p += pkt_data_len; /* Advance to the the rssi byte */
|
||
|
- if (p > data + data_len - sizeof(rssi))
|
||
|
- {
|
||
|
- BTM_TRACE_ERROR("Invalid pkt_data_len: %d", pkt_data_len);
|
||
|
+
|
||
|
+ // include rssi for this check
|
||
|
+ bytes_to_process += pkt_data_len + 1;
|
||
|
+ if (data_len < bytes_to_process) {
|
||
|
+ BTM_TRACE_ERROR("Malformed LE advertising packet: not enough room for "
|
||
|
+ "packet data and/or RSSI");
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
diff --git a/stack/btu/btu_hcif.c b/stack/btu/btu_hcif.c
|
||
|
index 4851e53ad..6a219b4c7 100644
|
||
|
--- a/stack/btu/btu_hcif.c
|
||
|
+++ b/stack/btu/btu_hcif.c
|
||
|
@@ -1794,6 +1794,13 @@ static void btu_ble_data_length_change_evt(UINT8 *p, UINT16 evt_len)
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
+ // 2 bytes each for handle, tx_data_len, TxTimer, rx_data_len
|
||
|
+ if (evt_len < 8)
|
||
|
+ {
|
||
|
+ LOG_ERROR(LOG_TAG, "Event packet too short");
|
||
|
+ return;
|
||
|
+ }
|
||
|
+
|
||
|
STREAM_TO_UINT16(handle, p);
|
||
|
STREAM_TO_UINT16(tx_data_len, p);
|
||
|
p += 2; /* Skip the TxTimer */
|