commit 5ce88e738dd2febf407db52f6bf7a1b71f7b346b
author Jack He <siyuanh@google.com> Fri Jun 01 14:00:42 2018 -0700
committer Ryan Longair <rlongair@google.com> Tue Jun 12 11:13:27 2018 -0700
tree 9e6b4c2403db95ae9a12dd5ce507026922bdafbb
parent 7ee96f569c29c063d83f6ae1360f2ba5596524cc

BNEP: Fix OOB access in bnep_data_ind

* Stop reading the L2CAP packet if packet length is 0
* Process the buffer for BNEP_EXTENSION_CONTROL packet before advancing
  the buffer pointer by length of payload
* Reject BNEP_EXTENSION_CONTROL packet when the payload size is zero
* Move error logging to more appropriate locations at where the OOB access
  is most likely triggered

Bug: 78286118
Bug: 79164722
Test: Send zero length L2CAP packet to BNEP, send invalid
      BNEP_EXTENSION_CONTROL packet
Change-Id: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
Merged-In: I7e18632b8faab1b6aaca1bff1b7f55d69962729e
(cherry picked from commit 3c799a6e25abdf6bacb660ff7a06338836cc7356)
(cherry picked from commit 0bd01271c4d888453ba375d9442ac27cd66961c9)

stack/bnep/bnep_main.c

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index ad1f59f..6127cfe 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -483,6 +483,13 @@
     UINT16        protocol = 0;
     UINT8         *p_src_addr, *p_dst_addr;
 
+    if (rem_len == 0)
+    {
+        android_errorWriteLog(0x534e4554, "78286118");
+        GKI_freebuf(p_buf);
+        return;
+    }
+
 
     /* Find CCB based on CID */
     if ((p_bcb = bnepu_find_bcb_by_cid (l2cap_cid)) == NULL)
@@ -529,23 +536,35 @@
             UINT16      org_len, new_len;
             /* parse the extension headers and process unknown control headers */
             org_len = rem_len;
-            new_len = 0;
             do {
-                if (org_len < 2) break;
+                if (org_len < 2) {
+                    android_errorWriteLog(0x534e4554, "67863755");
+                    break;
+                }
                 ext     = *p++;
                 length  = *p++;
-                p += length;
 
                 new_len = (length + 2);
-                if (new_len > org_len) break;
+                if (new_len > org_len) {
+                    android_errorWriteLog(0x534e4554, "67863755");
+                    break;
+                }
 
-                if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
-                    bnep_send_command_not_understood (p_bcb, *p);
+                if ((ext & 0x7F) == BNEP_EXTENSION_FILTER_CONTROL) {
+                    if (length == 0) {
+                        android_errorWriteLog(0x534e4554, "79164722");
+                        break;
+                    }
+                    if (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG) {
+                        bnep_send_command_not_understood(p_bcb, *p);
+                    }
+                }
+
+                p += length;
 
                 org_len -= new_len;
 
             } while (ext & 0x80);
-            android_errorWriteLog(0x534e4554, "67863755");
         }
 
         osi_free(p_buf);
@@ -595,14 +614,13 @@
             {
                 ext_type = *p++;
                 rem_len--;
-                android_errorWriteLog(0x534e4554, "69271284");
                 extension_present = ext_type >> 7;
                 ext_type &= 0x7F;
 
                 /* if unknown extension present stop processing */
-                if (ext_type)
-                    break;
+                if (ext_type != BNEP_EXTENSION_FILTER_CONTROL) break;
 
+                android_errorWriteLog(0x534e4554, "69271284");
                 p = bnep_process_control_packet (p_bcb, p, &rem_len, TRUE);
             }
         }