mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-14 10:24:32 -05:00
66 lines
2.7 KiB
Diff
66 lines
2.7 KiB
Diff
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Brian Delwiche <delwiche@google.com>
|
||
|
Date: Fri, 2 Dec 2022 00:41:24 +0000
|
||
|
Subject: [PATCH] Report failure when not able to connect to AVRCP
|
||
|
|
||
|
A crash may occur when creating a bluetooth AVRCP connection to a
|
||
|
device.
|
||
|
|
||
|
The code fails to check a return value from an AVRCP function
|
||
|
being used to index into an array. The return value may exceed the
|
||
|
size of the array causing memory outside the bounds of the array to be
|
||
|
accessed leading to memory corruption and a crash.
|
||
|
|
||
|
The fix is to ensure the return value is within the bounds of the
|
||
|
array before accessing the array contents. If the return value is
|
||
|
not within the bounds of the array report it as a failure to the
|
||
|
bluetooth stack.
|
||
|
|
||
|
This change is relevant for android automotive because the IVI
|
||
|
(in-vehicle infotainment system) acts as the an AVRCP controller
|
||
|
which still executes this code.
|
||
|
|
||
|
Note: this is a backport of b/214569798, inducted as a non-security
|
||
|
issue. Per b/226927612 it has been found to have security impact
|
||
|
and should be backported to earlier branches.
|
||
|
|
||
|
Bug: 226927612
|
||
|
Test: Manual - set return value to be out of bounds, verify no crash
|
||
|
Tag: #security
|
||
|
Ignore-AOSP-First: Security
|
||
|
Change-Id: I03f89f894c759b85e555a024435b625397ef7e5c
|
||
|
Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
|
||
|
(cherry picked from commit 86112bf0535f3f5a4c6a0a137e67b0eebd9bbdf5)
|
||
|
Merged-In: I03f89f894c759b85e555a024435b625397ef7e5c
|
||
|
---
|
||
|
bta/av/bta_av_act.cc | 16 +++++++++++++++-
|
||
|
1 file changed, 15 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
|
||
|
index 5625f90bf..112645ecf 100644
|
||
|
--- a/bta/av/bta_av_act.cc
|
||
|
+++ b/bta/av/bta_av_act.cc
|
||
|
@@ -1840,7 +1840,21 @@ void bta_av_rc_disc_done(UNUSED_ATTR tBTA_AV_DATA* p_data) {
|
||
|
if (p_lcb) {
|
||
|
rc_handle = bta_av_rc_create(p_cb, AVCT_INT,
|
||
|
(uint8_t)(p_scb->hdi + 1), p_lcb->lidx);
|
||
|
- p_cb->rcb[rc_handle].peer_features = peer_features;
|
||
|
+ if (rc_handle < BTA_AV_NUM_RCB) {
|
||
|
+ p_cb->rcb[rc_handle].peer_features = peer_features;
|
||
|
+ } else {
|
||
|
+ /* cannot create valid rc_handle for current device. report failure
|
||
|
+ */
|
||
|
+ APPL_TRACE_ERROR("%s: no link resources available", __func__);
|
||
|
+ p_scb->use_rc = false;
|
||
|
+ tBTA_AV_RC_OPEN rc_open;
|
||
|
+ rc_open.peer_addr = p_scb->PeerAddress();
|
||
|
+ rc_open.peer_features = 0;
|
||
|
+ rc_open.status = BTA_AV_FAIL_RESOURCES;
|
||
|
+ tBTA_AV bta_av_data;
|
||
|
+ bta_av_data.rc_open = rc_open;
|
||
|
+ (*p_cb->p_cback)(BTA_AV_RC_OPEN_EVT, &bta_av_data);
|
||
|
+ }
|
||
|
} else {
|
||
|
APPL_TRACE_ERROR("%s: can not find LCB!!", __func__);
|
||
|
}
|