DivestOS/Patches/LineageOS-14.1/android_system_bt/353754.patch

54 lines
1.7 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Cheney Ni <cheneyni@google.com>
Date: Fri, 1 Oct 2021 20:44:20 +0800
Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload
offset
This variable is uint16, and is possible to overflow when the length of
header extension is larger. Here we compare with the data length to
prevent any exceptions.
Bug: 142546355
Tag: #security
Test: A2DP sink playback
Ignore-AOSP-First: security vulnerabilities
Change-Id: Id13b1ebde8f603123c8b7a49922b2f1378ab788f
---
stack/avdt/avdt_scb_act.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c
index 5537c3d1d..011bff1c5 100644
--- a/stack/avdt/avdt_scb_act.c
+++ b/stack/avdt/avdt_scb_act.c
@@ -291,19 +291,26 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data)
if (offset > len) goto length_error;
p += 2;
BE_STREAM_TO_UINT16(ex_len, p);
- offset += ex_len * 4;
p += ex_len * 4;
}
+ if ((p - p_start) > len)
+ {
+ android_errorWriteLog(0x534e4554, "142546355");
+ osi_free_and_reset((void **)&p_data->p_pkt);
+ return;
+ }
+ offset = p - p_start;
+
/* adjust length for any padding at end of packet */
if (o_p)
{
/* padding length in last byte of packet */
- pad_len = *(p_start + p_data->p_pkt->len);
+ pad_len = *(p_start + len);
}
/* do sanity check */
- if ((offset > p_data->p_pkt->len) || ((pad_len + offset) > p_data->p_pkt->len))
+ if (pad_len > (len - offset))
{
AVDT_TRACE_WARNING("Got bad media packet");
osi_free_and_reset((void **)&p_data->p_pkt);