DivestOS/Patches/LineageOS-15.1/android_system_bt/337996.patch

51 lines
1.9 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Wed, 30 Jan 2019 19:17:03 +0800
Subject: [PATCH] Fix OOB in BNEP_Write
Bug: 112050583
Test: PoC
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.cc | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
index 60c8d1117..817507320 100644
--- a/stack/bnep/bnep_api.cc
+++ b/stack/bnep/bnep_api.cc
@@ -346,10 +346,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
p_bcb = &(bnep_cb.bcb[handle - 1]);
/* Check MTU size */
if (p_buf->len > BNEP_MTU_SIZE) {
- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len,
+ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len,
BNEP_MTU_SIZE);
osi_free(p_buf);
return (BNEP_MTU_EXCEDED);
+ } else if (p_buf->len < 2) {
+ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
+ p_buf->len);
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
}
/* Check if the packet should be filtered out */
@@ -451,9 +456,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
/* Check MTU size. Consider the possibility of having extension headers */
if (len > BNEP_MTU_SIZE) {
- BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len,
+ BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len,
BNEP_MTU_SIZE);
return (BNEP_MTU_EXCEDED);
+ } else if (len < 2) {
+ BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
+ len);
+ return BNEP_IGNORE_CMD;
}
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);