2022-09-10 18:09:00 -04:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Chienyuan <chienyuanhuang@google.com>
|
|
|
|
Date: Wed, 30 Jan 2019 19:17:03 +0800
|
2022-09-10 19:04:29 -04:00
|
|
|
Subject: [PATCH] Fix OOB in BNEP_Write
|
2022-09-10 18:09:00 -04:00
|
|
|
|
|
|
|
Bug: 112050583
|
|
|
|
Test: PoC
|
|
|
|
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
|
|
|
|
(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
|
|
|
|
CRs-Fixed: 3155069
|
|
|
|
---
|
|
|
|
stack/bnep/bnep_api.cc | 13 +++++++++++--
|
|
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
|
2022-09-10 19:04:29 -04:00
|
|
|
index 60c8d1117..817507320 100644
|
2022-09-10 18:09:00 -04:00
|
|
|
--- a/stack/bnep/bnep_api.cc
|
|
|
|
+++ b/stack/bnep/bnep_api.cc
|
|
|
|
@@ -346,10 +346,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
|
|
|
|
p_bcb = &(bnep_cb.bcb[handle - 1]);
|
|
|
|
/* Check MTU size */
|
|
|
|
if (p_buf->len > BNEP_MTU_SIZE) {
|
|
|
|
- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len,
|
|
|
|
+ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len,
|
|
|
|
BNEP_MTU_SIZE);
|
|
|
|
osi_free(p_buf);
|
|
|
|
return (BNEP_MTU_EXCEDED);
|
|
|
|
+ } else if (p_buf->len < 2) {
|
|
|
|
+ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
|
|
|
|
+ p_buf->len);
|
|
|
|
+ osi_free(p_buf);
|
|
|
|
+ return BNEP_IGNORE_CMD;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if the packet should be filtered out */
|
2022-09-10 19:04:29 -04:00
|
|
|
@@ -451,9 +456,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
|
2022-09-10 18:09:00 -04:00
|
|
|
|
|
|
|
/* Check MTU size. Consider the possibility of having extension headers */
|
|
|
|
if (len > BNEP_MTU_SIZE) {
|
|
|
|
- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len,
|
|
|
|
+ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len,
|
|
|
|
BNEP_MTU_SIZE);
|
|
|
|
return (BNEP_MTU_EXCEDED);
|
|
|
|
+ } else if (len < 2) {
|
|
|
|
+ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
|
|
|
|
+ len);
|
|
|
|
+ return BNEP_IGNORE_CMD;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);
|