commit 1a17ed689f5ba836bcc06f61d59b569c846c7066
author Matadeen Mishra <matade@codeaurora.org> Wed Feb 03 18:13:39 2016 +0530
committer Andre Eisenbach <eisenbach@google.com> Tue May 17 17:16:06 2016 +0000
tree 9cbd0be64a1906f03bb34b63d492c03bc3b6319b
parent b534453b1b573995b19e9c12c846290d0789375b

L2CAP: Handle invalid HCI packets

- Handled Buffer over flow for uint16_t
- Discard invalid HCI packets from Codenomican test
  tool as data length and actual data not matching
  during reassembly

Use case:
Execute L2CAP test suit from Defensics Codenomican

Steps:
1. Pair and connect DUT to Codenomican tool
2. Execute L2CAP test suit from Defensics Codenomican

Failure:
Crash observed on DUT and Codenomican tool stuck in execution.

Root cause:
Codenomican tool sending invalid HCI packets to DUT and
there are no checks to handle buffer over flow and other invalid data
from Codenomican tool.

Change-Id: I6f93c80244fc39d607ad285185136bbbca83d7ae

hci/src/packet_fragmenter.c

diff --git a/hci/src/packet_fragmenter.c b/hci/src/packet_fragmenter.c
index 6dfebe2..eae6905 100644
--- a/hci/src/packet_fragmenter.c
+++ b/hci/src/packet_fragmenter.c
@@ -23,6 +23,7 @@
 #include <assert.h>
 #include <string.h>
 
+#include "bt_target.h"
 #include "buffer_allocator.h"
 #include "device/include/controller.h"
 #include "hci_internals.h"
@@ -119,6 +120,10 @@
   callbacks->fragmented(packet, true);
 }
 
+static bool check_uint16_overflow(uint16_t a, uint16_t b) {
+  return (UINT16_MAX - a) < b;
+}
+
 static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR *packet) {
   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
     uint8_t *stream = packet->data;
@@ -145,7 +150,23 @@
         buffer_allocator->free(partial_packet);
       }
 
+      if (acl_length < L2CAP_HEADER_SIZE) {
+        LOG_WARN(LOG_TAG, "%s L2CAP packet too small (%d < %d). Dropping it.", __func__, packet->len, L2CAP_HEADER_SIZE);
+        buffer_allocator->free(packet);
+        return;
+      }
+
       uint16_t full_length = l2cap_length + L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE;
+
+      // Check for buffer overflow and that the full packet size + BT_HDR size is less than
+      // the max buffer size
+      if (check_uint16_overflow(l2cap_length, (L2CAP_HEADER_SIZE + HCI_ACL_PREAMBLE_SIZE)) ||
+          ((full_length + sizeof(BT_HDR)) > BT_DEFAULT_BUFFER_SIZE)) {
+        LOG_ERROR(LOG_TAG, "%s L2CAP packet has invalid length (%d). Dropping it.", __func__, l2cap_length);
+        buffer_allocator->free(packet);
+        return;
+      }
+
       if (full_length <= packet->len) {
         if (full_length < packet->len)
           LOG_WARN(LOG_TAG, "%s found l2cap full length %d less than the hci length %d.", __func__, l2cap_length, packet->len);