From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Cheney Ni Date: Fri, 1 Oct 2021 20:44:20 +0800 Subject: [PATCH] AVDTP: Fix a potential overflow about the media payload offset This variable is uint16, and is possible to overflow when the length of header extension is larger. Here we compare with the data length to prevent any exceptions. Bug: 142546355 Tag: #security Test: A2DP sink playback Ignore-AOSP-First: security vulnerabilities Change-Id: Id13b1ebde8f603123c8b7a49922b2f1378ab788f --- stack/avdt/avdt_scb_act.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/stack/avdt/avdt_scb_act.c b/stack/avdt/avdt_scb_act.c index 5537c3d1d..011bff1c5 100644 --- a/stack/avdt/avdt_scb_act.c +++ b/stack/avdt/avdt_scb_act.c @@ -291,19 +291,26 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB *p_scb, tAVDT_SCB_EVT *p_data) if (offset > len) goto length_error; p += 2; BE_STREAM_TO_UINT16(ex_len, p); - offset += ex_len * 4; p += ex_len * 4; } + if ((p - p_start) > len) + { + android_errorWriteLog(0x534e4554, "142546355"); + osi_free_and_reset((void **)&p_data->p_pkt); + return; + } + offset = p - p_start; + /* adjust length for any padding at end of packet */ if (o_p) { /* padding length in last byte of packet */ - pad_len = *(p_start + p_data->p_pkt->len); + pad_len = *(p_start + len); } /* do sanity check */ - if ((offset > p_data->p_pkt->len) || ((pad_len + offset) > p_data->p_pkt->len)) + if (pad_len > (len - offset)) { AVDT_TRACE_WARNING("Got bad media packet"); osi_free_and_reset((void **)&p_data->p_pkt);