commit 09ed13b870a67aac64874a1527e6ed4fe836b9d7
author Pavlin Radoslavov <pavlin@google.com> Thu Jul 06 16:51:35 2017 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Tue Aug 08 18:42:32 2017 +0000
tree 9a5ede9c4cd67d9d92fd7c2c997cb6a6cb381ef8
parent a93eda4e84409848b86d0fcef733f49166cb0ff3

Add missing packet length checks while parsing BNEP control packets

Bug: 63146237
Test: External script
Change-Id: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
Merged-In: Ie778f3c99df81c85ed988f3af89b4edbcc2eeb99
(cherry picked from commit 7feaeb006941a1494d7cdc0a2ffc4bb1004b38b4)
(cherry picked from commit 6d415839da570b94b0763f6ab444f0dd1321fc33)

stack/bnep/bnep_utils.cc

diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc
index 06a5115..3f5e13e 100644
--- a/stack/bnep/bnep_utils.cc
+++ b/stack/bnep/bnep_utils.cc
@@ -714,25 +714,41 @@
 uint8_t* bnep_process_control_packet(tBNEP_CONN* p_bcb, uint8_t* p,
                                      uint16_t* rem_len, bool is_ext) {
   uint8_t control_type;
-  bool bad_pkt = false;
   uint16_t len, ext_len = 0;
 
+  if (p == NULL || rem_len == NULL) {
+    if (rem_len != NULL) *rem_len = 0;
+    BNEP_TRACE_DEBUG("%s: invalid packet: p = %p rem_len = %p", __func__, p,
+                     rem_len);
+    return NULL;
+  }
+  uint16_t rem_len_orig = *rem_len;
+
   if (is_ext) {
+    if (*rem_len < 1) goto bad_packet_length;
     ext_len = *p++;
     *rem_len = *rem_len - 1;
   }
 
+  if (*rem_len < 1) goto bad_packet_length;
   control_type = *p++;
   *rem_len = *rem_len - 1;
 
   BNEP_TRACE_EVENT(
-      "BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
-      *rem_len, is_ext, control_type);
+      "%s: BNEP processing control packet rem_len %d, is_ext %d, ctrl_type %d",
+      __func__, *rem_len, is_ext, control_type);
 
   switch (control_type) {
     case BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD:
-      BNEP_TRACE_ERROR("BNEP Received Cmd not understood for ctl pkt type: %d",
-                       *p);
+      if (*rem_len < 1) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD with bad length",
+            __func__);
+        goto bad_packet_length;
+      }
+      BNEP_TRACE_ERROR(
+          "%s: Received BNEP_CONTROL_COMMAND_NOT_UNDERSTOOD for pkt type: %d",
+          __func__, *p);
       p++;
       *rem_len = *rem_len - 1;
       break;
@@ -740,9 +756,10 @@
     case BNEP_SETUP_CONNECTION_REQUEST_MSG:
       len = *p++;
       if (*rem_len < ((2 * len) + 1)) {
-        bad_pkt = true;
-        BNEP_TRACE_ERROR("BNEP Received Setup message with bad length");
-        break;
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
       }
       if (!is_ext) bnep_process_setup_conn_req(p_bcb, p, (uint8_t)len);
       p += (2 * len);
@@ -750,6 +767,12 @@
       break;
 
     case BNEP_SETUP_CONNECTION_RESPONSE_MSG:
+      if (*rem_len < 2) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_SETUP_CONNECTION_RESPONSE_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
+      }
       if (!is_ext) bnep_process_setup_conn_responce(p_bcb, p);
       p += 2;
       *rem_len = *rem_len - 2;
@@ -758,9 +781,10 @@
     case BNEP_FILTER_NET_TYPE_SET_MSG:
       BE_STREAM_TO_UINT16(len, p);
       if (*rem_len < (len + 2)) {
-        bad_pkt = true;
-        BNEP_TRACE_ERROR("BNEP Received Filter set message with bad length");
-        break;
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
       }
       bnepu_process_peer_filter_set(p_bcb, p, len);
       p += len;
@@ -768,6 +792,12 @@
       break;
 
     case BNEP_FILTER_NET_TYPE_RESPONSE_MSG:
+      if (*rem_len < 2) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_FILTER_NET_TYPE_RESPONSE_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
+      }
       bnepu_process_peer_filter_rsp(p_bcb, p);
       p += 2;
       *rem_len = *rem_len - 2;
@@ -776,10 +806,10 @@
     case BNEP_FILTER_MULTI_ADDR_SET_MSG:
       BE_STREAM_TO_UINT16(len, p);
       if (*rem_len < (len + 2)) {
-        bad_pkt = true;
         BNEP_TRACE_ERROR(
-            "BNEP Received Multicast Filter Set message with bad length");
-        break;
+            "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
       }
       bnepu_process_peer_multicast_filter_set(p_bcb, p, len);
       p += len;
@@ -787,28 +817,37 @@
       break;
 
     case BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG:
+      if (*rem_len < 2) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG with bad length",
+            __func__);
+        goto bad_packet_length;
+      }
       bnepu_process_multicast_filter_rsp(p_bcb, p);
       p += 2;
       *rem_len = *rem_len - 2;
       break;
 
     default:
-      BNEP_TRACE_ERROR("BNEP - bad ctl pkt type: %d", control_type);
+      BNEP_TRACE_ERROR("%s: BNEP - bad ctl pkt type: %d", __func__,
+                       control_type);
       bnep_send_command_not_understood(p_bcb, control_type);
       if (is_ext) {
+        if (*rem_len < (ext_len - 1)) {
+          goto bad_packet_length;
+        }
         p += (ext_len - 1);
         *rem_len -= (ext_len - 1);
       }
       break;
   }
-
-  if (bad_pkt) {
-    BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len);
-    *rem_len = 0;
-    return NULL;
-  }
-
   return p;
+
+bad_packet_length:
+  BNEP_TRACE_ERROR("%s: bad control packet length: original=%d remaining=%d",
+                   __func__, rem_len_orig, *rem_len);
+  *rem_len = 0;
+  return NULL;
 }
 
 /*******************************************************************************