mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-03 18:11:24 +00:00
964877bbf6
wgetb96ee4a2d1.patch -O telephony-01.patch wgetc16e6e78c1.patch -O media-01.patch wgetd5771450d7.patch -O media-02.patch wgeta1370bd00c.patch -O nn-01.patch wgetce2776f4ca.patch -O bt-01.patch wget585f583ef5.patch -O bt-02.patch wgetc9905e7968.patch -O bt-03.patch wgetc93ec045f5.patch -O bt-04.patch wget89fb17d172.patch -O bt-05.patch wget14aed2455e.patch -O bt-06.patch wgetcd438ebc52.patch -O bt-07.patch wget27e7cdc4e5.patch -O nfc-01.patch wgetdfeb4270b8.patch -O launcher-01.patch wgetb1993f6cec.patch -O native-01.patch wgetdf4a9362cd.patch -O fwb-01.patch wgetb55563bb9d.patch -O fwb-02.patch wgeta80971a281.patch -O fwb-03.patch wget7e173b4383.patch -O fwb-04.patch wget44191b1c6b.patch -O fwb-05.patch wget8dc8dfe572.patch -O fwb-06.patch wget00a4224100.patch -O av-01.patch wget21623d1f43.patch -O settings-01.patch wgetfa5ec443d9.patch -O settings-02.patch wgetba4da9c7b3.patch -O settings-03.patch Signed-off-by: Tad <tad@spotco.us>
84 lines
2.5 KiB
Diff
84 lines
2.5 KiB
Diff
From 585f583ef5e6c2446df7700d8959774771d2a9d8 Mon Sep 17 00:00:00 2001
|
|
From: Hui Peng <phui@google.com>
|
|
Date: Thu, 11 May 2023 01:10:04 +0000
|
|
Subject: [PATCH] Fix multiple OOB bugs resulted from tx mtu in EATT
|
|
|
|
The tx mtu in EATT can be controlled by remote device. With malicious
|
|
mtu values, it is possible to trigger integer overflow and
|
|
OOB write at multiple places (see the bug below).
|
|
|
|
This fix enforces a max tx mtu in EATT.
|
|
|
|
Bug: 271335899
|
|
Test: manual
|
|
Ignore-AOSP-First: security
|
|
Tag: #security
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:ea76b7d99e6366e2043c5621eda630d559104d36)
|
|
Merged-In: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
|
|
Change-Id: Ia06c9a17f2daa5ce4c32cffa536777f47774cf31
|
|
---
|
|
system/stack/eatt/eatt.h | 9 +++++++--
|
|
system/stack/eatt/eatt_impl.h | 2 +-
|
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/system/stack/eatt/eatt.h b/system/stack/eatt/eatt.h
|
|
index 6ef3d3359a..1310f65480 100644
|
|
--- a/system/stack/eatt/eatt.h
|
|
+++ b/system/stack/eatt/eatt.h
|
|
@@ -17,6 +17,7 @@
|
|
|
|
#pragma once
|
|
|
|
+#include <algorithm>
|
|
#include <deque>
|
|
|
|
#include "stack/gatt/gatt_int.h"
|
|
@@ -24,6 +25,7 @@
|
|
|
|
#define EATT_MIN_MTU_MPS (64)
|
|
#define EATT_DEFAULT_MTU (256)
|
|
+#define EATT_MAX_TX_MTU (1024)
|
|
#define EATT_ALL_CIDS (0xFFFF)
|
|
|
|
namespace bluetooth {
|
|
@@ -59,13 +61,13 @@ class EattChannel {
|
|
EattChannel(RawAddress& bda, uint16_t cid, uint16_t tx_mtu, uint16_t rx_mtu)
|
|
: bda_(bda),
|
|
cid_(cid),
|
|
- tx_mtu_(tx_mtu),
|
|
rx_mtu_(rx_mtu),
|
|
state_(EattChannelState::EATT_CHANNEL_PENDING),
|
|
indicate_handle_(0),
|
|
ind_ack_timer_(NULL),
|
|
ind_confirmation_timer_(NULL) {
|
|
cl_cmd_q_ = std::deque<tGATT_CMD_Q>();
|
|
+ EattChannelSetTxMTU(tx_mtu);
|
|
}
|
|
|
|
~EattChannel() {
|
|
@@ -94,7 +96,10 @@ class EattChannel {
|
|
}
|
|
state_ = state;
|
|
}
|
|
- void EattChannelSetTxMTU(uint16_t tx_mtu) { this->tx_mtu_ = tx_mtu; }
|
|
+
|
|
+ void EattChannelSetTxMTU(uint16_t tx_mtu) {
|
|
+ this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);
|
|
+ }
|
|
};
|
|
|
|
/* Interface class */
|
|
diff --git a/system/stack/eatt/eatt_impl.h b/system/stack/eatt/eatt_impl.h
|
|
index 998fc10905..c5a78550ce 100644
|
|
--- a/system/stack/eatt/eatt_impl.h
|
|
+++ b/system/stack/eatt/eatt_impl.h
|
|
@@ -447,7 +447,7 @@ struct eatt_impl {
|
|
if (is_local_cfg)
|
|
channel->rx_mtu_ = p_cfg->mtu;
|
|
else
|
|
- channel->tx_mtu_ = p_cfg->mtu;
|
|
+ channel->EattChannelSetTxMTU(p_cfg->mtu);
|
|
|
|
/* Go back to open state */
|
|
channel->EattChannelSetState(EattChannelState::EATT_CHANNEL_OPENED);
|