Checks the SMP length to fix OOB read
Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit 4978acce4af0c3975ffde9386b7da38f88bb1711)
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 59045be..0976b36 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -16,6 +16,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "btif_common.h"
#include "device/include/interop.h"
@@ -898,6 +899,14 @@
uint8_t* p = (uint8_t*)p_data;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb)) {
+ uint8_t reason = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
smp_key_distribution(p_cb, NULL);
@@ -930,13 +939,21 @@
}
/*******************************************************************************
- * Function smp_proc_enc_info
+ * Function smp_proc_id_info
* Description process identity information from peer device
******************************************************************************/
void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
uint8_t* p = (uint8_t*)p_data;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (smp_command_has_invalid_parameters(p_cb)) {
+ uint8_t reason = SMP_INVALID_PARAMETERS;
+ android_errorWriteLog(0x534e4554, "111937065");
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+ return;
+ }
+
STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
smp_key_distribution_by_transport(p_cb, NULL);
}