Tad 202033c013
Pull in old cherrypicks + 5 missing patches from syphyr
This adds 3 expat patches for n-asb-2022-09
from https://github.com/syphyr/android_external_expat/commits/cm-14.1
and also applies 2 of them to 15.1

Signed-off-by: Tad <tad@spotco.us>
2022-09-11 14:02:35 -04:00

53 lines
1.9 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Wed, 30 Jan 2019 19:17:03 +0800
Subject: [PATCH] Fix OOB in BNEP_Write
Bug: 112050583
Test: PoC
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
(cherry picked from commit b31554e2a31534888c0eb593d915f735ce4670c7)
CRs-Fixed: 3155069
---
stack/bnep/bnep_api.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index 3e866d100..dc349299a 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -374,10 +374,16 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
/* Check MTU size */
if (p_buf->len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", p_buf->len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, p_buf->len, BNEP_MTU_SIZE);
osi_free(p_buf);
return (BNEP_MTU_EXCEDED);
}
+ else if (p_buf->len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, p_buf->len);
+ osi_free(p_buf);
+ return BNEP_IGNORE_CMD;
+ }
/* Check if the packet should be filtered out */
p_data = (UINT8 *)(p_buf + 1) + p_buf->offset;
@@ -484,9 +490,14 @@ tBNEP_RESULT BNEP_Write (UINT16 handle,
/* Check MTU size. Consider the possibility of having extension headers */
if (len > BNEP_MTU_SIZE)
{
- BNEP_TRACE_ERROR ("BNEP_Write() length %d exceeded MTU %d", len, BNEP_MTU_SIZE);
+ BNEP_TRACE_ERROR ("%s length %d exceeded MTU %d", __func__, len, BNEP_MTU_SIZE);
return (BNEP_MTU_EXCEDED);
}
+ else if (len < 2)
+ {
+ BNEP_TRACE_ERROR ("%s length %d too short, must be at least 2", __func__, len);
+ return BNEP_IGNORE_CMD;
+ }
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS))
return (BNEP_WRONG_HANDLE);