Merge cherrypicks of [4741663, 4741664, 4741665, 4741666, 4743080, 4743081, 4743082, 4743083, 4741262, 4741263, 4741264, 4741265, 4741266, 4741667, 4743084, 4741242, 4741243, 4741741, 4741742, 4741743, 4741744, 4741822, 4743085, 4741668, 4741338, 4743055, 4743056, 4743070, 4743073, 4743075, 4743076, 4743078, 4743079, 4743161, 4743162, 4743164, 4743165, 4743167, 4743168, 4743169, 4743170, 4741681, 4741682, 4741683, 4741684, 4741685, 4741686, 4741687, 4741688, 4741689, 4741690, 4741691, 4741692, 4741693, 4741694, 4741695, 4741696, 4741697, 4741698, 4741699, 4743240, 4743241, 4743242, 4743243, 4741745, 4741823, 4741824, 4741825, 4741267, 4741268, 4743244, 4743280, 4743281, 4743224, 4743203, 4743204, 4743205, 4741746, 4741747, 4743245, 4741826, 4741827, 4741828, 4741829, 4741748, 4741749, 4741750, 4743233, 4743282, 4741244, 4741245, 4741246, 4741247, 4743206, 4743207, 4743208, 4743209, 4743210, 4743211, 4743212, 4743213, 4743214, 4743215, 4743216, 4743217, 4743218, 4743219, 4743360, 4743361, 4743362, 4743363, 4743364, 4743365, 4743366, 4743367, 4743368, 4743369, 4743370, 4743371, 4743372, 4743373, 4743374, 4743375, 4743376, 4743377, 4743283, 4743284, 4741830, 4742501, 4743246, 4743086, 4743087, 4743378, 4743379, 4741751] into sparse-4749909-L04200000199131547
Change-Id: I00e16e086aeb1e49834b5a7c98174418f934cc81
diff --git a/bta/dm/bta_dm_act.cc b/bta/dm/bta_dm_act.cc
index 187bc68..eaa61ab 100644
--- a/bta/dm/bta_dm_act.cc
+++ b/bta/dm/bta_dm_act.cc
@@ -28,6 +28,7 @@
#include <base/bind.h>
#include <base/callback.h>
#include <base/logging.h>
+#include <cutils/log.h>
#include <string.h>
#include "bt_common.h"
@@ -146,6 +147,8 @@
#define BTA_DM_SWITCH_DELAY_TIMER_MS 500
#endif
+#define BTA_MAX_SERVICES 32
+
static void bta_dm_reset_sec_dev_pending(const RawAddress& remote_bd_addr);
static void bta_dm_remove_sec_dev_entry(const RawAddress& remote_bd_addr);
static void bta_dm_observe_results_cb(tBTM_INQ_RESULTS* p_inq, uint8_t* p_eir,
@@ -1486,7 +1489,7 @@
tBT_UUID service_uuid;
uint32_t num_uuids = 0;
- uint8_t uuid_list[32][MAX_UUID_SIZE]; // assuming a max of 32 services
+ uint8_t uuid_list[BTA_MAX_SERVICES][MAX_UUID_SIZE]; // assuming a max of 32 services
if ((p_data->sdp_event.sdp_result == SDP_SUCCESS) ||
(p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) ||
@@ -1554,8 +1557,12 @@
bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index -
1];
/* Add to the list of UUIDs */
- sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]);
- num_uuids++;
+ if (num_uuids < BTA_MAX_SERVICES) {
+ sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]);
+ num_uuids++;
+ } else {
+ android_errorWriteLog(0x534e4554, "74016921");
+ }
}
}
}
@@ -1587,8 +1594,12 @@
SDP_FindServiceInDb_128bit(bta_dm_search_cb.p_sdp_db, p_sdp_rec);
if (p_sdp_rec) {
if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) {
- memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE);
- num_uuids++;
+ if (num_uuids < BTA_MAX_SERVICES) {
+ memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE);
+ num_uuids++;
+ } else {
+ android_errorWriteLog(0x534e4554, "74016921");
+ }
}
}
} while (p_sdp_rec);
@@ -3255,11 +3266,14 @@
}
}
} else {
- BTM_SecDeleteDevice(remote_bd_addr);
+ // remote_bd_addr comes from security record, which is removed in
+ // BTM_SecDeleteDevice.
+ RawAddress addr_copy = remote_bd_addr;
+ BTM_SecDeleteDevice(addr_copy);
/* need to remove all pending background connection */
- BTA_GATTC_CancelOpen(0, remote_bd_addr, false);
+ BTA_GATTC_CancelOpen(0, addr_copy, false);
/* remove all cached GATT information */
- BTA_GATTC_Refresh(remote_bd_addr);
+ BTA_GATTC_Refresh(addr_copy);
}
}
diff --git a/bta/hd/bta_hd_act.cc b/bta/hd/bta_hd_act.cc
index 0886422..b8cdb7d 100644
--- a/bta/hd/bta_hd_act.cc
+++ b/bta/hd/bta_hd_act.cc
@@ -36,6 +36,7 @@
#include "bta_sys.h"
#include "btm_api.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static void bta_hd_cback(const RawAddress& bd_addr, uint8_t event,
@@ -504,6 +505,10 @@
APPL_TRACE_API("%s", __func__);
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "109757986");
+ return;
+ }
ret.report_id = *p_buf;
len--;
@@ -536,15 +541,31 @@
APPL_TRACE_API("%s", __func__);
+ uint16_t remaining_len = p_msg->len;
+ if (remaining_len < 1) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
+
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
p_buf++;
+ remaining_len--;
if (bta_hd_cb.use_report_id) {
+ if (remaining_len < 1) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
ret.report_id = *p_buf;
p_buf++;
+ remaining_len--;
}
if (rep_size_follows) {
+ if (remaining_len < 2) {
+ android_errorWriteLog(0x534e4554, "109757168");
+ return;
+ }
ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
}
@@ -569,11 +590,19 @@
APPL_TRACE_API("%s", __func__);
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "110846194");
+ return;
+ }
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
p_buf++;
len--;
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
+ if (len < 1) {
+ android_errorWriteLog(0x534e4554, "109757435");
+ return;
+ }
ret.report_id = *p_buf;
len--;
diff --git a/bta/pan/bta_pan_act.cc b/bta/pan/bta_pan_act.cc
index 41e0bf6..789cce8 100644
--- a/bta/pan/bta_pan_act.cc
+++ b/bta/pan/bta_pan_act.cc
@@ -171,31 +171,25 @@
static void bta_pan_data_buf_ind_cback(uint16_t handle, const RawAddress& src,
const RawAddress& dst, uint16_t protocol,
BT_HDR* p_buf, bool ext, bool forward) {
- tBTA_PAN_SCB* p_scb;
- BT_HDR* p_new_buf;
-
- p_scb = bta_pan_scb_by_handle(handle);
+ tBTA_PAN_SCB* p_scb = bta_pan_scb_by_handle(handle);
if (p_scb == NULL) {
return;
}
- if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
- /* offset smaller than data structure in front of actual data */
- if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
- PAN_BUF_SIZE) {
- android_errorWriteLog(0x534e4554, "63146237");
- APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
- p_buf->len);
- return;
- }
- p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
- memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
- (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
- p_new_buf->len = p_buf->len;
- p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
- } else {
- p_new_buf = p_buf;
+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+ PAN_BUF_SIZE) {
+ android_errorWriteLog(0x534e4554, "63146237");
+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+ p_buf->len);
+ return;
}
+
+ BT_HDR* p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
+ memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
+ (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
+ p_new_buf->len = p_buf->len;
+ p_new_buf->offset = sizeof(tBTA_PAN_DATA_PARAMS);
+
/* copy params into the space before the data */
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->src = src;
((tBTA_PAN_DATA_PARAMS*)p_new_buf)->dst = dst;
diff --git a/btif/src/btif_hf.cc b/btif/src/btif_hf.cc
index 9ec6da8..01a7a44 100644
--- a/btif/src/btif_hf.cc
+++ b/btif/src/btif_hf.cc
@@ -33,6 +33,7 @@
#include <hardware/bluetooth.h>
#include <hardware/bt_hf.h>
+#include <log/log.h>
#include "bta/include/utl.h"
#include "bta_ag_api.h"
@@ -1198,13 +1199,20 @@
dialnum[newidx++] = '+';
}
for (size_t i = 0; number[i] != 0; i++) {
+ if (newidx >= (sizeof(dialnum) - res_strlen - 1)) {
+ android_errorWriteLog(0x534e4554, "79266386");
+ break;
+ }
if (utl_isdialchar(number[i])) {
dialnum[newidx++] = number[i];
}
}
dialnum[newidx] = 0;
- snprintf(&ag_res.str[res_strlen], rem_bytes, ",\"%s\",%d", dialnum,
- type);
+ // Reserve 5 bytes for ["][,][3_digit_type]
+ snprintf(&ag_res.str[res_strlen], rem_bytes - 5, ",\"%s", dialnum);
+ std::stringstream remaining_string;
+ remaining_string << "\"," << type;
+ strncat(&ag_res.str[res_strlen], remaining_string.str().c_str(), 5);
}
}
BTA_AgResult(btif_hf_cb[idx].handle, BTA_AG_CLCC_RES, &ag_res);
@@ -1357,6 +1365,13 @@
else
xx = snprintf(ag_res.str, sizeof(ag_res.str), "\"%s\"", number);
ag_res.num = type;
+ // 5 = [,][3_digit_type][null_terminator]
+ if (xx > static_cast<int>(sizeof(ag_res.str) - 5)) {
+ android_errorWriteLog(0x534e4554, "79431031");
+ xx = sizeof(ag_res.str) - 5;
+ // Null terminating the string
+ memset(&ag_res.str[xx], 0, 5);
+ }
if (res == BTA_AG_CALL_WAIT_RES)
snprintf(&ag_res.str[xx], sizeof(ag_res.str) - xx, ",%d", type);
diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
index fc10b8b..edd0730 100644
--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
@@ -45,6 +45,7 @@
#include "btif_util.h"
#include "btu.h"
#include "device/include/interop.h"
+#include "log/log.h"
#include "osi/include/list.h"
#include "osi/include/osi.h"
#include "osi/include/properties.h"
@@ -3502,6 +3503,12 @@
RawAddress rc_addr = p_dev->rc_addr;
app_settings.num_attr = p_rsp->num_val;
+
+ if (app_settings.num_attr > BTRC_MAX_APP_SETTINGS) {
+ android_errorWriteLog(0x534e4554, "73824150");
+ app_settings.num_attr = BTRC_MAX_APP_SETTINGS;
+ }
+
for (xx = 0; xx < app_settings.num_attr; xx++) {
app_settings.attr_ids[xx] = p_rsp->p_vals[xx].attr_id;
app_settings.attr_values[xx] = p_rsp->p_vals[xx].attr_val;
diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc
index 9d4a84e..1c34787 100644
--- a/btif/src/btif_storage.cc
+++ b/btif/src/btif_storage.cc
@@ -235,6 +235,10 @@
bt_uuid_t* p_uuid = (bt_uuid_t*)prop->val + i;
memset(buf, 0, sizeof(buf));
uuid_to_string_legacy(p_uuid, buf, sizeof(buf));
+ if (strlen(value) + strlen(buf) + 1 > (int) sizeof(value) - 1) {
+ android_errorWriteLog(0x534e4554, "73963551");
+ return false;
+ }
strcat(value, buf);
// strcat(value, ";");
strcat(value, " ");
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index bd99562..011a52d 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -25,6 +25,7 @@
*
*****************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "avct_api.h"
#include "avct_int.h"
@@ -68,6 +69,12 @@
uint8_t* p;
uint8_t pkt_type;
+ if (p_buf->len == 0) {
+ osi_free_and_reset((void**)&p_buf);
+ android_errorWriteLog(0x534e4554, "79944113");
+ return nullptr;
+ }
+
/* parse the message header */
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
pkt_type = AVCT_PKT_TYPE(p);
@@ -520,6 +527,14 @@
return;
}
+ if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
+ AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
+ p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
+ osi_free_and_reset((void**)&p_data->p_buf);
+ android_errorWriteLog(0x534e4554, "79944113");
+ return;
+ }
+
p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
/* parse header byte */
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index 7ab7edc..52ce2e8 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -26,6 +26,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "avdt_api.h"
#include "avdt_int.h"
@@ -602,6 +603,11 @@
case AVDT_CAT_PROTECT:
p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
+ if (p + elem_len > p_end) {
+ err = AVDT_ERR_LENGTH;
+ android_errorWriteLog(0x534e4554, "78288378");
+ break;
+ }
if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE) {
p_cfg->num_protect++;
p_cfg->protect_info[protect_offset] = elem_len;
@@ -622,6 +628,11 @@
if (elem_len >= AVDT_CODEC_SIZE) {
tmp = AVDT_CODEC_SIZE - 1;
}
+ if (p + tmp > p_end) {
+ err = AVDT_ERR_LENGTH;
+ android_errorWriteLog(0x534e4554, "78288378");
+ break;
+ }
p_cfg->num_codec++;
p_cfg->codec_info[0] = elem_len;
memcpy(&p_cfg->codec_info[1], p, tmp);
diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index b67a6b7..bdf78b7 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -425,15 +425,15 @@
}
if (status != AVRC_STS_NO_ERROR) {
- /* use the current GKI buffer to build/send the reject message */
- p_data = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
+ p_rsp = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+ p_rsp->offset = p_pkt->offset;
+ p_data = (uint8_t*)(p_rsp + 1) + p_pkt->offset;
*p_data++ = AVRC_RSP_REJ;
p_data += AVRC_VENDOR_HDR_SIZE; /* pdu */
*p_data++ = 0; /* pkt_type */
UINT16_TO_BE_STREAM(p_data, 1); /* len */
*p_data++ = status; /* error code */
- p_pkt->len = AVRC_VENDOR_HDR_SIZE + 5;
- p_rsp = p_pkt;
+ p_rsp->len = AVRC_VENDOR_HDR_SIZE + 5;
}
return p_rsp;
@@ -574,6 +574,7 @@
p_rsp = avrc_proc_vendor_command(handle, label, *pp_pkt, p_msg);
if (p_rsp) {
AVCT_MsgReq(handle, label, AVCT_RSP, p_rsp);
+ osi_free_and_reset((void**)pp_pkt);
drop_code = 3;
} else if (p_msg->hdr.opcode == AVRC_OP_DROP) {
drop_code = 1;
diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 3343624..fbfeeaf 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -119,6 +119,10 @@
case AVRC_EVT_APP_SETTING_CHANGE:
BE_STREAM_TO_UINT8(p_rsp->param.player_setting.num_attr, p_stream);
+ if (p_rsp->param.player_setting.num_attr > AVRC_MAX_APP_SETTINGS) {
+ android_errorWriteLog(0x534e4554, "73782082");
+ p_rsp->param.player_setting.num_attr = AVRC_MAX_APP_SETTINGS;
+ }
for (int index = 0; index < p_rsp->param.player_setting.num_attr;
index++) {
BE_STREAM_TO_UINT8(p_rsp->param.player_setting.attr_id[index],
diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
index 923ce50..e5d3c09 100644
--- a/stack/bnep/bnep_api.cc
+++ b/stack/bnep/bnep_api.cc
@@ -23,6 +23,7 @@
******************************************************************************/
#include "bnep_api.h"
+#include <log/log.h>
#include <string.h>
#include "bnep_int.h"
@@ -383,6 +384,10 @@
protocol = 0;
else {
new_len += 4;
+ if (new_len > org_len) {
+ android_errorWriteLog(0x534e4554, "74947856");
+ return BNEP_IGNORE_CMD;
+ }
p_data[2] = 0;
p_data[3] = 0;
}
@@ -479,6 +484,10 @@
protocol = 0;
else {
new_len += 4;
+ if (new_len > org_len) {
+ android_errorWriteLog(0x534e4554, "74947856");
+ return BNEP_IGNORE_CMD;
+ }
p_data[2] = 0;
p_data[3] = 0;
}
diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index f621fdb..d60fb55 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -431,6 +431,11 @@
tBNEP_CONN* p_bcb;
uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;
uint16_t rem_len = p_buf->len;
+ if (rem_len == 0) {
+ android_errorWriteLog(0x534e4554, "78286118");
+ osi_free(p_buf);
+ return;
+ }
uint8_t type, ctrl_type, ext_type = 0;
bool extension_present, fw_ext_present;
uint16_t protocol = 0;
@@ -479,24 +484,35 @@
uint16_t org_len, new_len;
/* parse the extension headers and process unknown control headers */
org_len = rem_len;
- new_len = 0;
do {
- if (org_len < 2) break;
+ if (org_len < 2) {
+ android_errorWriteLog(0x534e4554, "67863755");
+ break;
+ }
ext = *p++;
length = *p++;
- p += length;
new_len = (length + 2);
- if (new_len > org_len) break;
+ if (new_len > org_len) {
+ android_errorWriteLog(0x534e4554, "67863755");
+ break;
+ }
- if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
- bnep_send_command_not_understood(p_bcb, *p);
+ if ((ext & 0x7F) == BNEP_EXTENSION_FILTER_CONTROL) {
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "79164722");
+ break;
+ }
+ if (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG) {
+ bnep_send_command_not_understood(p_bcb, *p);
+ }
+ }
+
+ p += length;
org_len -= new_len;
} while (ext & 0x80);
- android_errorWriteLog(0x534e4554, "67863755");
}
-
osi_free(p_buf);
return;
}
@@ -540,13 +556,13 @@
while (extension_present && p && rem_len) {
ext_type = *p++;
rem_len--;
- android_errorWriteLog(0x534e4554, "69271284");
extension_present = ext_type >> 7;
ext_type &= 0x7F;
/* if unknown extension present stop processing */
- if (ext_type) break;
+ if (ext_type != BNEP_EXTENSION_FILTER_CONTROL) break;
+ android_errorWriteLog(0x534e4554, "69271284");
p = bnep_process_control_packet(p_bcb, p, &rem_len, true);
}
}
@@ -607,7 +623,6 @@
if (bnep_cb.p_data_buf_cb) {
(*bnep_cb.p_data_buf_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
p_buf, fw_ext_present);
- osi_free(p_buf);
} else if (bnep_cb.p_data_ind_cb) {
(*bnep_cb.p_data_ind_cb)(p_bcb->handle, *p_src_addr, *p_dst_addr, protocol,
p, rem_len, fw_ext_present);
diff --git a/stack/btm/btm_dev.cc b/stack/btm/btm_dev.cc
index 07332e7..0fe5c20 100644
--- a/stack/btm/btm_dev.cc
+++ b/stack/btm/btm_dev.cc
@@ -147,17 +147,16 @@
return true;
}
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Parameters: bd_addr - BD address of the peer
- *
- * Returns true if removed OK, false if not found or ACL link is active
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
bool BTM_SecDeleteDevice(const RawAddress& bd_addr) {
if (BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_LE) ||
BTM_IsAclConnectionUp(bd_addr, BT_TRANSPORT_BR_EDR)) {
@@ -168,9 +167,10 @@
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev(bd_addr);
if (p_dev_rec != NULL) {
+ RawAddress bda = p_dev_rec->bd_addr;
btm_sec_free_dev(p_dev_rec);
/* Tell controller to get rid of the link key, if it has one stored */
- BTM_DeleteStoredLinkKey(&p_dev_rec->bd_addr, NULL);
+ BTM_DeleteStoredLinkKey(&bda, NULL);
}
return true;
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 2843ac9..9e77e15 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -29,6 +29,7 @@
#include "bt_utils.h"
#include "gatt_int.h"
#include "l2c_int.h"
+#include "log/log.h"
#include "osi/include/osi.h"
#define GATT_WRITE_LONG_HDR_SIZE 5 /* 1 opcode + 2 handle + 2 offset */
@@ -507,9 +508,24 @@
tGATT_VALUE* p_attr = (tGATT_VALUE*)p_clcb->p_attr_buf;
VLOG(1) << __func__;
- STREAM_TO_UINT8(opcode, p);
- STREAM_TO_UINT16(handle, p);
- STREAM_TO_UINT8(reason, p);
+
+ if (len < 4) {
+ android_errorWriteLog(0x534e4554, "79591688");
+ LOG(ERROR) << "Error response too short";
+ // Specification does not clearly define what should happen if error
+ // response is too short. General rule in BT Spec 5.0 Vol 3, Part F 3.4.1.1
+ // is: "If an error code is received in the Error Response that is not
+ // understood by the client, for example an error code that was reserved for
+ // future use that is now being used in a future version of this
+ // specification, then the Error Response shall still be considered to state
+ // that the given request cannot be performed for an unknown reason."
+ opcode = handle = 0;
+ reason = 0x7F;
+ } else {
+ STREAM_TO_UINT8(opcode, p);
+ STREAM_TO_UINT16(handle, p);
+ STREAM_TO_UINT8(reason, p);
+ }
if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY) {
gatt_proc_disc_error_rsp(tcb, p_clcb, opcode, handle, reason);
diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index 3af9866..f9e8f53 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc
@@ -22,6 +22,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include "bt_target.h"
#include "bt_utils.h"
#include "osi/include/osi.h"
@@ -281,8 +282,8 @@
* Returns void
*
******************************************************************************/
-void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code,
- UNUSED_ATTR uint16_t len, uint8_t* p_data) {
+void gatt_process_exec_write_req(tGATT_TCB& tcb, uint8_t op_code, uint16_t len,
+ uint8_t* p_data) {
uint8_t *p = p_data, flag, i = 0;
uint32_t trans_id = 0;
tGATT_IF gatt_if;
@@ -301,6 +302,13 @@
}
#endif
+ if (len < sizeof(flag)) {
+ android_errorWriteLog(0x534e4554, "73172115");
+ LOG(ERROR) << __func__ << "invalid length";
+ gatt_send_error_rsp(tcb, GATT_INVALID_PDU, GATT_REQ_EXEC_WRITE, 0, false);
+ return;
+ }
+
STREAM_TO_UINT8(flag, p);
/* mask the flag */
@@ -780,7 +788,8 @@
void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint8_t op_code,
uint16_t len, uint8_t* p_data) {
tBT_UUID uuid;
- uint16_t s_hdl, e_hdl, err_hdl = 0;
+ uint16_t s_hdl = 0, e_hdl = 0, err_hdl = 0;
+ if (len < 4) android_errorWriteLog(0x534e4554, "73125709");
tGATT_STATUS reason =
gatts_validate_packet_format(op_code, len, p_data, &uuid, s_hdl, e_hdl);
@@ -940,9 +949,19 @@
*/
static void gatts_process_read_req(tGATT_TCB& tcb, tGATT_SRV_LIST_ELEM& el,
uint8_t op_code, uint16_t handle,
- UNUSED_ATTR uint16_t len, uint8_t* p_data) {
+ uint16_t len, uint8_t* p_data) {
size_t buf_len = sizeof(BT_HDR) + tcb.payload_size + L2CAP_MIN_OFFSET;
uint16_t offset = 0;
+
+ if (op_code == GATT_REQ_READ_BLOB && len < sizeof(uint16_t)) {
+ /* Error: packet length is too short */
+ LOG(ERROR) << __func__ << ": packet length=" << len
+ << " too short. min=" << sizeof(uint16_t);
+ android_errorWriteWithInfoLog(0x534e4554, "73172115", -1, NULL, 0);
+ gatt_send_error_rsp(tcb, GATT_INVALID_PDU, op_code, 0, false);
+ return;
+ }
+
BT_HDR* p_msg = (BT_HDR*)osi_calloc(buf_len);
if (op_code == GATT_REQ_READ_BLOB) STREAM_TO_UINT16(offset, p_data);
@@ -964,7 +983,7 @@
if (reason != GATT_SUCCESS) {
osi_free(p_msg);
- /* in theroy BUSY is not possible(should already been checked), protected
+ /* in theory BUSY is not possible(should already been checked), protected
* check */
if (reason != GATT_PENDING && reason != GATT_BUSY)
gatt_send_error_rsp(tcb, reason, op_code, handle, false);
diff --git a/stack/hid/hidh_conn.cc b/stack/hid/hidh_conn.cc
index 1ab03b7..a41aa90 100644
--- a/stack/hid/hidh_conn.cc
+++ b/stack/hid/hidh_conn.cc
@@ -42,6 +42,7 @@
#include "hidh_api.h"
#include "hidh_int.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static uint8_t find_conn_by_cid(uint16_t cid);
@@ -799,6 +800,14 @@
return;
}
+ if (p_msg->len < 1) {
+ HIDH_TRACE_WARNING("Rcvd L2CAP data, invalid length %d, should be >= 1",
+ p_msg->len);
+ osi_free(p_msg);
+ android_errorWriteLog(0x534e4554, "80493272");
+ return;
+ }
+
ttype = HID_GET_TRANS_FROM_HDR(*p_data);
param = HID_GET_PARAM_FROM_HDR(*p_data);
rep_type = param & HID_PAR_REP_TYPE_MASK;
diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h
index 10f4f65..3dd5567 100644
--- a/stack/include/btm_api.h
+++ b/stack/include/btm_api.h
@@ -1411,15 +1411,16 @@
uint8_t key_type, tBTM_IO_CAP io_cap,
uint8_t pin_length);
-/*******************************************************************************
+/** Free resources associated with the device associated with |bd_addr| address.
*
- * Function BTM_SecDeleteDevice
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
*
- * Description Free resources associated with the device.
- *
- * Returns true if rmoved OK, false if not found
- *
- ******************************************************************************/
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
extern bool BTM_SecDeleteDevice(const RawAddress& bd_addr);
/*******************************************************************************
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index 6c7820f..078f75f 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -33,6 +33,7 @@
#include "hcimsgs.h"
#include "l2c_int.h"
#include "l2cdefs.h"
+#include "log/log.h"
#include "osi/include/osi.h"
#include "stack_config.h"
@@ -573,6 +574,12 @@
uint16_t credit;
p_pkt_end = p + pkt_len;
+ if (p + 4 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
+
STREAM_TO_UINT8(cmd_code, p);
STREAM_TO_UINT8(id, p);
STREAM_TO_UINT16(cmd_len, p);
@@ -598,6 +605,12 @@
break;
case L2CAP_CMD_BLE_UPDATE_REQ:
+ if (p + 8 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
+
STREAM_TO_UINT16(min_interval, p); /* 0x0006 - 0x0C80 */
STREAM_TO_UINT16(max_interval, p); /* 0x0006 - 0x0C80 */
STREAM_TO_UINT16(latency, p); /* 0x0000 - 0x03E8 */
@@ -646,6 +659,12 @@
break;
case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
+ if (p + 10 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
+
STREAM_TO_UINT16(con_info.psm, p);
STREAM_TO_UINT16(rcid, p);
STREAM_TO_UINT16(mtu, p);
@@ -729,6 +748,12 @@
}
if (p_ccb) {
L2CAP_TRACE_DEBUG("I remember the connection req");
+ if (p + 10 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
+
STREAM_TO_UINT16(p_ccb->remote_cid, p);
STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mtu, p);
STREAM_TO_UINT16(p_ccb->peer_conn_cfg.mps, p);
@@ -774,6 +799,12 @@
break;
case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
+ if (p + 4 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
+
STREAM_TO_UINT16(lcid, p);
p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid);
if (p_ccb == NULL) {
@@ -788,6 +819,10 @@
break;
case L2CAP_CMD_DISC_REQ:
+ if (p + 4 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "74121659");
+ return;
+ }
STREAM_TO_UINT16(lcid, p);
STREAM_TO_UINT16(rcid, p);
@@ -803,6 +838,11 @@
break;
case L2CAP_CMD_DISC_RSP:
+ if (p + 4 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "80261585");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
STREAM_TO_UINT16(rcid, p);
STREAM_TO_UINT16(lcid, p);
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index 0e5a84a..9c2742f 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -24,6 +24,7 @@
******************************************************************************/
#include <base/logging.h>
+#include <log/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -855,8 +856,24 @@
p_buf->offset += sizeof(sdu_length);
p_data->offset = 0;
- } else
+ } else {
p_data = p_ccb->ble_sdu;
+ if (p_buf->len > (p_ccb->ble_sdu_length - p_data->len)) {
+ L2CAP_TRACE_ERROR("%s: buffer length=%d too big. max=%d. Dropped",
+ __func__, p_data->len,
+ (p_ccb->ble_sdu_length - p_data->len));
+ android_errorWriteWithInfoLog(0x534e4554, "75298652", -1, NULL, 0);
+ osi_free(p_buf);
+
+ /* Throw away all pending fragments and disconnects */
+ p_ccb->is_first_seg = true;
+ osi_free(p_ccb->ble_sdu);
+ p_ccb->ble_sdu = NULL;
+ p_ccb->ble_sdu_length = 0;
+ l2cu_disconnect_chnl(p_ccb);
+ return;
+ }
+ }
memcpy((uint8_t*)(p_data + 1) + p_data->offset + p_data->len,
(uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
@@ -869,9 +886,6 @@
p_ccb->ble_sdu_length = 0;
} else if (p_data->len < p_ccb->ble_sdu_length) {
p_ccb->is_first_seg = false;
- } else {
- L2CAP_TRACE_ERROR("%s Length in the SDU messed up", __func__);
- // TODO: reset every thing may be???
}
osi_free(p_buf);
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 83d1737..1f3fb8f 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -320,8 +320,16 @@
switch (cmd_code) {
case L2CAP_CMD_REJECT:
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(rej_reason, p);
if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED) {
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(rej_mtu, p);
/* What to do with the MTU reject ? We have negotiated an MTU. For now
*/
@@ -332,6 +340,10 @@
p_lcb->handle, rej_mtu);
}
if (rej_reason == L2CAP_CMD_REJ_INVALID_CID) {
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(rcid, p);
STREAM_TO_UINT16(lcid, p);
@@ -365,6 +377,10 @@
break;
case L2CAP_CMD_CONN_REQ:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(con_info.psm, p);
STREAM_TO_UINT16(rcid, p);
p_rcb = l2cu_find_rcb_by_psm(con_info.psm);
@@ -396,6 +412,10 @@
break;
case L2CAP_CMD_CONN_RSP:
+ if (p + 8 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(con_info.remote_cid, p);
STREAM_TO_UINT16(lcid, p);
STREAM_TO_UINT16(con_info.l2cap_result, p);
@@ -427,6 +447,10 @@
cfg_rej = false;
cfg_rej_len = 0;
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(lcid, p);
STREAM_TO_UINT16(cfg_info.flags, p);
@@ -437,22 +461,38 @@
false;
while (p < p_cfg_end) {
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_code, p);
STREAM_TO_UINT8(cfg_len, p);
switch (cfg_code & 0x7F) {
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = true;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = true;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = true;
+ if (p + 2 + 5 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
@@ -464,6 +504,10 @@
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = true;
+ if (p + 3 + 3 * 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
@@ -474,11 +518,19 @@
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = true;
+ if (p + 1 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = true;
+ if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
@@ -490,6 +542,10 @@
default:
/* sanity check option length */
if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "79488381");
+ return;
+ }
p += cfg_len;
if ((cfg_code & 0x80) == 0) {
cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
@@ -523,6 +579,10 @@
case L2CAP_CMD_CONFIG_RSP:
p_cfg_end = p + cmd_len;
+ if (p + 6 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(lcid, p);
STREAM_TO_UINT16(cfg_info.flags, p);
STREAM_TO_UINT16(cfg_info.result, p);
@@ -532,22 +592,38 @@
false;
while (p < p_cfg_end) {
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_code, p);
STREAM_TO_UINT8(cfg_len, p);
switch (cfg_code & 0x7F) {
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = true;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = true;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = true;
+ if (p + 2 + 5 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8(cfg_info.qos.service_type, p);
STREAM_TO_UINT32(cfg_info.qos.token_rate, p);
@@ -559,6 +635,10 @@
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = true;
+ if (p + 3 + 3 * 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcr.mode, p);
STREAM_TO_UINT8(cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8(cfg_info.fcr.max_transmit, p);
@@ -569,11 +649,19 @@
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = true;
+ if (p + 1 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = true;
+ if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8(cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8(cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16(cfg_info.ext_flow_spec.max_sdu_size, p);
@@ -603,6 +691,10 @@
break;
case L2CAP_CMD_DISC_REQ:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(lcid, p);
STREAM_TO_UINT16(rcid, p);
@@ -618,6 +710,10 @@
break;
case L2CAP_CMD_DISC_RSP:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(rcid, p);
STREAM_TO_UINT16(lcid, p);
@@ -645,6 +741,10 @@
break;
case L2CAP_CMD_INFO_REQ:
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(info_type, p);
l2cu_send_peer_info_rsp(p_lcb, id, info_type);
break;
@@ -656,6 +756,10 @@
p_lcb->w4_info_rsp = false;
}
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16(info_type, p);
STREAM_TO_UINT16(result, p);
@@ -663,6 +767,10 @@
if ((info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE) &&
(result == L2CAP_INFO_RESP_RESULT_SUCCESS)) {
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT32(p_lcb->peer_ext_fea, p);
#if (L2CAP_NUM_FIXED_CHNLS > 0)
diff --git a/stack/pan/pan_main.cc b/stack/pan/pan_main.cc
index d7cd27b..6a55423 100644
--- a/stack/pan/pan_main.cc
+++ b/stack/pan/pan_main.cc
@@ -595,12 +595,11 @@
if (pan_cb.pan_data_buf_ind_cb)
(*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf,
ext, forward);
- else if (pan_cb.pan_data_ind_cb) {
+ else if (pan_cb.pan_data_ind_cb)
(*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len,
ext, forward);
- osi_free(p_buf);
- }
+ osi_free(p_buf);
return;
}
@@ -625,13 +624,10 @@
if (pan_cb.pan_data_buf_ind_cb)
(*pan_cb.pan_data_buf_ind_cb)(pcb->handle, src, dst, protocol, p_buf, ext,
forward);
- else if (pan_cb.pan_data_ind_cb) {
+ else if (pan_cb.pan_data_ind_cb)
(*pan_cb.pan_data_ind_cb)(pcb->handle, src, dst, protocol, p_data, len, ext,
forward);
- osi_free(p_buf);
- } else
- osi_free(p_buf);
-
+ osi_free(p_buf);
return;
}
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 7eea5fd..bf6f43b 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -332,7 +332,7 @@
******************************************************************************/
#if (SDP_RAW_DATA_INCLUDED == TRUE)
static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
- unsigned int cpy_len;
+ unsigned int cpy_len, rem_len;
uint32_t list_len;
uint8_t* p;
uint8_t type;
@@ -357,9 +357,14 @@
type = *p++;
p = sdpu_get_len_from_type(p, type, &list_len);
}
- if (list_len && list_len < cpy_len) {
+ if (list_len < cpy_len) {
cpy_len = list_len;
}
+ rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
+ if (cpy_len > rem_len) {
+ SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
+ cpy_len = rem_len;
+ }
SDP_TRACE_WARNING(
"%s: list_len:%d cpy_len:%d p:%p p_ccb:%p p_db:%p raw_size:%d "
"raw_used:%d raw_data:%p",
@@ -531,6 +536,13 @@
#endif
/* If p_reply is NULL, we were called for the initial read */
if (p_reply) {
+ if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+ p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x", p_reply[0], p_reply[1],
p_reply[2], p_reply[3]);
@@ -554,6 +566,13 @@
SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d", p_ccb->list_len,
lists_byte_count);
#endif
+
+ if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
if (p_ccb->rsp_list == NULL)
p_ccb->rsp_list = (uint8_t*)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
memcpy(&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);
diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index e4ed60a..510b8dc 100644
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -333,9 +333,11 @@
/* Extract the record handle */
BE_STREAM_TO_UINT32(rec_handle, p_req);
+ param_len -= sizeof(rec_handle);
/* Get the max list length we can send. Cap it at MTU size minus overhead */
BE_STREAM_TO_UINT16(max_list_len, p_req);
+ param_len -= sizeof(max_list_len);
if (max_list_len > (p_ccb->rem_mtu_size - SDP_MAX_ATTR_RSPHDR_LEN))
max_list_len = p_ccb->rem_mtu_size - SDP_MAX_ATTR_RSPHDR_LEN;
@@ -419,6 +421,13 @@
attr_len = sdpu_get_attrib_entry_len(p_attr);
/* if there is a partial attribute pending to be sent */
if (p_ccb->cont_info.attr_offset) {
+ if (attr_len < p_ccb->cont_info.attr_offset) {
+ android_errorWriteLog(0x534e4554, "79217770");
+ LOG(ERROR) << "offset is bigger than attribute length";
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+ SDP_TEXT_BAD_CONT_LEN);
+ return;
+ }
p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len,
&p_ccb->cont_info.attr_offset);
@@ -567,6 +576,7 @@
if (max_list_len > (p_ccb->rem_mtu_size - SDP_MAX_SERVATTR_RSPHDR_LEN))
max_list_len = p_ccb->rem_mtu_size - SDP_MAX_SERVATTR_RSPHDR_LEN;
+ param_len = static_cast<uint16_t>(p_req_end - p_req);
p_req = sdpu_extract_attr_seq(p_req, param_len, &attr_seq);
if ((!p_req) || (!attr_seq.num_attr) ||
@@ -658,6 +668,13 @@
attr_len = sdpu_get_attrib_entry_len(p_attr);
/* if there is a partial attribute pending to be sent */
if (p_ccb->cont_info.attr_offset) {
+ if (attr_len < p_ccb->cont_info.attr_offset) {
+ android_errorWriteLog(0x534e4554, "79217770");
+ LOG(ERROR) << "offset is bigger than attribute length";
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+ SDP_TEXT_BAD_CONT_LEN);
+ return;
+ }
p_rsp = sdpu_build_partial_attrib_entry(
p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset);
diff --git a/stack/smp/p_256_ecc_pp.cc b/stack/smp/p_256_ecc_pp.cc
index b416e1d..911dc54 100644
--- a/stack/smp/p_256_ecc_pp.cc
+++ b/stack/smp/p_256_ecc_pp.cc
@@ -245,3 +245,25 @@
multiprecision_mersenns_mult_mod(q->z, q->z, minus_p.x, keyLength);
multiprecision_mersenns_mult_mod(q->y, q->y, q->z, keyLength);
}
+
+bool ECC_ValidatePoint(const Point& pt) {
+ const size_t kl = KEY_LENGTH_DWORDS_P256;
+ p_256_init_curve(kl);
+
+ // Ensure y^2 = x^3 + a*x + b (mod p); a = -3
+
+ // y^2 mod p
+ uint32_t y2_mod[kl] = {0};
+ multiprecision_mersenns_squa_mod(y2_mod, (uint32_t*)pt.y, kl);
+
+ // Right hand side calculation
+ uint32_t rhs[kl] = {0};
+ multiprecision_mersenns_squa_mod(rhs, (uint32_t*)pt.x, kl);
+ uint32_t three[kl] = {0};
+ three[0] = 3;
+ multiprecision_sub_mod(rhs, rhs, three, kl);
+ multiprecision_mersenns_mult_mod(rhs, rhs, (uint32_t*)pt.x, kl);
+ multiprecision_add_mod(rhs, rhs, curve_p256.b, kl);
+
+ return multiprecision_compare(rhs, y2_mod, kl) == 0;
+}
diff --git a/stack/smp/p_256_ecc_pp.h b/stack/smp/p_256_ecc_pp.h
index dcc4211..b7a8e00 100644
--- a/stack/smp/p_256_ecc_pp.h
+++ b/stack/smp/p_256_ecc_pp.h
@@ -25,6 +25,7 @@
#pragma once
+#include <cstdbool>
#include "p_256_multprecision.h"
typedef struct {
@@ -55,6 +56,8 @@
extern elliptic_curve_t curve;
extern elliptic_curve_t curve_p256;
+bool ECC_ValidatePoint(const Point& p);
+
void ECC_PointMult_Bin_NAF(Point* q, Point* p, uint32_t* n, uint32_t keyLength);
#define ECC_PointMult(q, p, n, keyLength) \
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index df9fab9..2103776 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -22,6 +22,7 @@
#include "include/bt_target.h"
#include "stack/btm/btm_int.h"
#include "stack/include/l2c_api.h"
+#include "stack/smp/p_256_ecc_pp.h"
#include "stack/smp/smp_int.h"
#include "utils/include/bt_utils.h"
@@ -655,6 +656,17 @@
STREAM_TO_ARRAY(p_cb->peer_publ_key.x, p, BT_OCTET32_LEN);
STREAM_TO_ARRAY(p_cb->peer_publ_key.y, p, BT_OCTET32_LEN);
+
+ Point pt;
+ memcpy(pt.x, p_cb->peer_publ_key.x, BT_OCTET32_LEN);
+ memcpy(pt.y, p_cb->peer_publ_key.y, BT_OCTET32_LEN);
+
+ if (!ECC_ValidatePoint(pt)) {
+ android_errorWriteLog(0x534e4554, "72377774");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
p_cb->flags |= SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY;
smp_wait_for_both_public_keys(p_cb, NULL);
diff --git a/stack/smp/smp_br_main.cc b/stack/smp/smp_br_main.cc
index 260b9c4..55405cc 100644
--- a/stack/smp/smp_br_main.cc
+++ b/stack/smp/smp_br_main.cc
@@ -19,6 +19,7 @@
#include "bt_target.h"
#include <string.h>
+#include "log/log.h"
#include "smp_int.h"
const char* const smp_br_state_name[SMP_BR_STATE_MAX + 1] = {
@@ -308,6 +309,12 @@
return;
}
+ if (p_cb->role > HCI_ROLE_SLAVE) {
+ SMP_TRACE_ERROR("%s: invalid role %d", __func__, p_cb->role);
+ android_errorWriteLog(0x534e4554, "80145946");
+ return;
+ }
+
SMP_TRACE_DEBUG("SMP Role: %s State: [%s (%d)], Event: [%s (%d)]",
(p_cb->role == HCI_ROLE_SLAVE) ? "Slave" : "Master",
smp_get_br_state_name(p_cb->br_state), p_cb->br_state,
diff --git a/stack/smp/smp_main.cc b/stack/smp/smp_main.cc
index 829a5d4..49e2ece 100644
--- a/stack/smp/smp_main.cc
+++ b/stack/smp/smp_main.cc
@@ -18,6 +18,7 @@
#include "bt_target.h"
+#include <cutils/log.h>
#include <string.h>
#include "smp_int.h"
@@ -954,6 +955,13 @@
uint8_t curr_state = p_cb->state;
tSMP_SM_TBL state_table;
uint8_t action, entry, i;
+
+ if (p_cb->role >= 2) {
+ SMP_TRACE_DEBUG("Invalid role: %d", p_cb->role);
+ android_errorWriteLog(0x534e4554, "74121126");
+ return;
+ }
+
tSMP_ENTRY_TBL entry_table = smp_entry_table[p_cb->role];
SMP_TRACE_EVENT("main smp_sm_event");
