90 lines
3.3 KiB
Diff
Raw Normal View History

From 83f6ba8dc3f5bd609c117527da4e46bb36612e04 Mon Sep 17 00:00:00 2001
From: Zongheng Wang <wangzongheng@google.com>
Date: Mon, 5 Aug 2019 12:45:35 -0700
Subject: [PATCH] SDP: disconnect if sdp_copy_raw_data fails
Our partners met with the problem with sdp_copy_raw_data updated in
CVE-2019-2116. When peer device responds with a wrong size,
sdp_copy_raw_data will not complete and won't trigger
disconnection. This CL enables the disconnection when a wrong size is
received.
Bug: 137239831
Bug: 117105007
Test: manual test
Change-Id: I9f0df8b2de28970e7d69b737ce5d363785183bf3
Merged-In: I9f0df8b2de28970e7d69b737ce5d363785183bf3
(cherry picked from commit bc9df3451dad17c1ab1002fdbc85d60e57d4f0af)
(cherry picked from commit 41939a2b5a8e3584c5a99dfe264a47df79e3091f)
---
stack/sdp/sdp_discovery.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 81b5d584..474ce6b7 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -398,11 +398,13 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
** Description copy the raw data
**
**
-** Returns void
+** Returns BOOLEAN
+** true if successful
+** false if not copied
**
*******************************************************************************/
#if (SDP_RAW_DATA_INCLUDED == TRUE)
-static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
+static BOOLEAN sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
{
unsigned int cpy_len, rem_len;
UINT32 list_len;
@@ -439,12 +441,12 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
if (p == NULL || (p + list_len) > p_end)
{
SDP_TRACE_WARNING1("%s: bad length", __func__);
- return;
+ return FALSE;
}
if ((int)cpy_len < (p - old_p))
{
SDP_TRACE_WARNING1("%s: no bytes left for data", __func__);
- return;
+ return FALSE;
}
cpy_len -= (p - old_p);
}
@@ -464,6 +466,7 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
memcpy (&p_ccb->p_db->raw_data[p_ccb->p_db->raw_used], p, cpy_len);
p_ccb->p_db->raw_used += cpy_len;
}
+ return TRUE;
}
#endif
@@ -547,7 +550,10 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
#if (SDP_RAW_DATA_INCLUDED == TRUE)
SDP_TRACE_WARNING0("process_service_attr_rsp");
- sdp_copy_raw_data (p_ccb, FALSE);
+ if (!sdp_copy_raw_data(p_ccb, FALSE)) {
+ SDP_TRACE_ERROR0("sdp_copy_raw_data failed");
+ sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ }
#endif
/* Save the response in the database. Stop on any error */
@@ -804,7 +810,10 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
#if (SDP_RAW_DATA_INCLUDED == TRUE)
SDP_TRACE_WARNING0("process_service_search_attr_rsp");
- sdp_copy_raw_data (p_ccb, TRUE);
+ if (!sdp_copy_raw_data (p_ccb, TRUE)) {
+ SDP_TRACE_ERROR0("sdp_copy_raw_data failed");
+ sdp_disconnect(p_ccb, SDP_ILLEGAL_PARAMETER);
+ }
#endif
p = &p_ccb->rsp_list[0];