Check remaining frame length in rfc_process_mx_message
Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
diff --git a/stack/rfcomm/rfc_ts_frames.cc b/stack/rfcomm/rfc_ts_frames.cc
index 93a8592..995a9d3 100644
--- a/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@ -621,6 +621,14 @@
uint8_t ea, cr, mx_len;
bool is_command;
+ if (length < 2) {
+ RFCOMM_TRACE_ERROR(
+ "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__,
+ length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
p_rx_frame->ea = *p_data & RFCOMM_EA;
p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
@@ -641,6 +649,13 @@
length--;
if (!ea) {
+ if (length < 1) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1",
+ __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
length--;
}
@@ -709,7 +724,13 @@
return;
case RFCOMM_MX_MSC:
-
+ if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
+ length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
ea = *p_data & RFCOMM_EA;
cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;