From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Chienyuan Date: Wed, 30 Jan 2019 19:17:03 +0800 Subject: [PATCH] Fix OOB in BNEP_Write Bug: 112050583 Test: PoC Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0 (cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7) CRs-Fixed: 3155069 --- stack/bnep/bnep_api.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c index 3e866d100..dc349299a 100644 --- a/stack/bnep/bnep_api.c +++ b/stack/bnep/bnep_api.c @@ -374,10 +374,16 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle, /* Check MTU size */ if (p_buf->len > BNEP_MTU_SIZE) { - BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", p_buf->len, BNEP_MTU_SIZE); + BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, p_buf->len, BNEP_MTU_SIZE); osi_free(p_buf); return (BNEP_MTU_EXCEDED); } + else if (p_buf->len < 2) + { + BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, p_buf->len); + osi_free(p_buf); + return BNEP_IGNORE_CMD; + } /* Check if the packet should be filtered out */ p_data = (UINT8 *)(p_buf + 1) + p_buf->offset; @@ -484,9 +490,14 @@ tBNEP_RESULT BNEP_Write (UINT16 handle, /* Check MTU size. Consider the possibility of having extension headers */ if (len > BNEP_MTU_SIZE) { - BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", len, BNEP_MTU_SIZE); + BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, len, BNEP_MTU_SIZE); return (BNEP_MTU_EXCEDED); } + else if (len < 2) + { + BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, len); + return BNEP_IGNORE_CMD; + } if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);