DivestOS/Patches/LineageOS-15.1/android_system_bt/379154-prereq-2.patch

69 lines
2.5 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <jpawlowski@google.com>
Date: Wed, 21 Mar 2018 17:13:36 -0700
Subject: [PATCH] LE Advertising Report parsing enhancements
Reject invalid data length for advertisement data.
Also, don't attempt to resolve anonymous advertising addresses.
Test: LE scanning tests
Bug: 73193883
Change-Id: I1cb330bc30fdcaebc86527cd2656c9dd7932b318
(cherry picked from commit 47efa5b569e8dfa6c4397f0a9598d8137f71a05f)
---
stack/btm/btm_ble_gap.cc | 17 ++++++++++++++---
stack/include/bt_types.h | 1 +
2 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/stack/btm/btm_ble_gap.cc b/stack/btm/btm_ble_gap.cc
index bf526b67f..4f09f270a 100644
--- a/stack/btm/btm_ble_gap.cc
+++ b/stack/btm/btm_ble_gap.cc
@@ -1909,13 +1909,20 @@ void btm_ble_process_ext_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the next packet*/
+ if (p > data + data_len) {
+ LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+ return;
+ }
if (rssi >= 21 && rssi <= 126) {
- BTM_TRACE_ERROR("%s: bad rssi value in advertising report: ", __func__,
- pkt_data_len, rssi);
+ BTM_TRACE_ERROR("%s: bad rssi value in advertising report: %d", __func__,
+ rssi);
+ }
+
+ if (addr_type != BLE_ADDR_ANONYMOUS) {
+ btm_ble_process_adv_addr(bda, &addr_type);
}
- btm_ble_process_adv_addr(bda, &addr_type);
btm_ble_process_adv_pkt_cont(event_type, addr_type, bda, primary_phy,
secondary_phy, advertising_sid, tx_power, rssi,
periodic_adv_int, pkt_data_len, pkt_data);
@@ -1954,6 +1961,10 @@ void btm_ble_process_adv_pkt(uint8_t data_len, uint8_t* data) {
uint8_t* pkt_data = p;
p += pkt_data_len; /* Advance to the the rssi byte */
+ if (p > data + data_len - sizeof(rssi)) {
+ LOG(ERROR) << "Invalid pkt_data_len: " << +pkt_data_len;
+ return;
+ }
STREAM_TO_INT8(rssi, p);
diff --git a/stack/include/bt_types.h b/stack/include/bt_types.h
index 6acce0ffc..1c7e54ea2 100644
--- a/stack/include/bt_types.h
+++ b/stack/include/bt_types.h
@@ -729,6 +729,7 @@ typedef struct {
#define BLE_ADDR_RANDOM 0x01
#define BLE_ADDR_PUBLIC_ID 0x02
#define BLE_ADDR_RANDOM_ID 0x03
+#define BLE_ADDR_ANONYMOUS 0xFF
typedef uint8_t tBLE_ADDR_TYPE;
#define BLE_ADDR_TYPE_MASK (BLE_ADDR_RANDOM | BLE_ADDR_PUBLIC)