Make sure only valid packet fields are accessed in VendorPacketHandler
Move packet validation above first access to GetEvent()
Bug: 144066833
Test: avrcp_device_fuzz
Change-Id: I62c03763e7e921adc3456c53090fbf30ff87946e
(cherry picked from commit cd32e0d7cc0712c35f1652a9180f32be6b1cade8)
diff --git a/profile/avrcp/device.cc b/profile/avrcp/device.cc
index 4ca624b..264eaf0 100644
--- a/profile/avrcp/device.cc
+++ b/profile/avrcp/device.cc
@@ -98,6 +98,19 @@
case CommandPdu::REGISTER_NOTIFICATION: {
auto register_notification =
Packet::Specialize<RegisterNotificationResponse>(pkt);
+
+ if (!register_notification->IsValid()) {
+ DEVICE_LOG(WARNING) << __func__ << ": Request packet is not valid";
+ auto response =
+ RejectBuilder::MakeBuilder(pkt->GetCommandPdu(),
+ Status::INVALID_PARAMETER);
+ send_message(label, false, std::move(response));
+ active_labels_.erase(label);
+ volume_interface_ = nullptr;
+ volume_ = VOL_REGISTRATION_FAILED;
+ return;
+ }
+
if (register_notification->GetEvent() != Event::VOLUME_CHANGED) {
DEVICE_LOG(WARNING)
<< __func__ << ": Unhandled register notification received: "
@@ -336,16 +349,6 @@
uint8_t label, const std::shared_ptr<RegisterNotificationResponse>& pkt) {
DEVICE_VLOG(1) << __func__ << ": interim=" << pkt->IsInterim();
- if (!pkt->IsValid()) {
- DEVICE_LOG(WARNING) << __func__ << ": Request packet is not valid";
- auto response = RejectBuilder::MakeBuilder(pkt->GetCommandPdu(), Status::INVALID_PARAMETER);
- send_message(label, false, std::move(response));
- active_labels_.erase(label);
- volume_interface_ = nullptr;
- volume_ = VOL_REGISTRATION_FAILED;
- return;
- }
-
if (volume_interface_ == nullptr) return;
if (pkt->GetCType() == CType::REJECTED) {