Add packet length checks in l2cble_process_sig_cmd Bug: 80261585 Test: compilation Change-Id: Icf55747dc948bcce140a12658237554938e2d717 (cherry picked from commit 02f47a752c818277b31852e3ff940764d5c7f9c7)

commit: 025fe7dd743252716cb439707787e17e0c42402f [log] [tgz]
author: Jakub Pawlowski <jpawlowski@google.com> Thu Jun 21 22:56:11 2018 -0700
committer: Max Spector <mspector@google.com> Fri Jul 20 13:56:11 2018 -0700
tree: f1c401742ea1b39f50adafcbb5951853f0c6b450
parent: 96431829c3eb700bcb44a44073a9d4b276ae6b46 [diff]
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index 17ce2d3..078f75f 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc

@@ -574,6 +574,12 @@
   uint16_t credit;
   p_pkt_end = p + pkt_len;
 
+  if (p + 4 > p_pkt_end) {
+    android_errorWriteLog(0x534e4554, "80261585");
+    LOG(ERROR) << "invalid read";
+    return;
+  }
+
   STREAM_TO_UINT8(cmd_code, p);
   STREAM_TO_UINT8(id, p);
   STREAM_TO_UINT16(cmd_len, p);
@@ -599,6 +605,12 @@
       break;
 
     case L2CAP_CMD_BLE_UPDATE_REQ:
+      if (p + 8 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */
       STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */
       STREAM_TO_UINT16(latency, p);      /* 0x0000 - 0x03E8 */
@@ -647,6 +659,12 @@
       break;
 
     case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
+      if (p + 10 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(con_info.psm, p);
       STREAM_TO_UINT16(rcid, p);
       STREAM_TO_UINT16(mtu, p);
@@ -730,6 +748,12 @@
       }
       if (p_ccb) {
         L2CAP_TRACE_DEBUG("I remember the connection req");
+        if (p + 10 > p_pkt_end) {
+          android_errorWriteLog(0x534e4554, "80261585");
+          LOG(ERROR) << "invalid read";
+          return;
+        }
+
         STREAM_TO_UINT16(p_ccb->remote_cid, p);
         STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);
         STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -775,6 +799,12 @@
       break;
 
     case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
+
       STREAM_TO_UINT16(lcid, p);
       p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);
       if (p_ccb == NULL) {
@@ -808,6 +838,11 @@
       break;
 
     case L2CAP_CMD_DISC_RSP:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "80261585");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
       STREAM_TO_UINT16(rcid, p);
       STREAM_TO_UINT16(lcid, p);
commit	025fe7dd743252716cb439707787e17e0c42402f	[log] [tgz]
author	Jakub Pawlowski <jpawlowski@google.com>	Thu Jun 21 22:56:11 2018 -0700
committer	Max Spector <mspector@google.com>	Fri Jul 20 13:56:11 2018 -0700
tree	f1c401742ea1b39f50adafcbb5951853f0c6b450
parent	96431829c3eb700bcb44a44073a9d4b276ae6b46 [diff]