commit 90918407e8f511874b1e81aff0130eac986100f8
author Cheney Ni <cheneyni@google.com> Wed Aug 08 22:20:08 2018 +0800
committer android-build-team Robot <android-build-team-robot@google.com> Thu Aug 16 16:40:33 2018 +0000
tree 56774ee58c5c27d048c31da41ab359768b73437c
parent a1a6202f1ddebefe6584b6549a9e47512b67b94c

Checks the SMP length to fix OOB read

Bug: 111937065
Test: manual
Change-Id: I330880a6e1671d0117845430db4076dfe1aba688
Merged-In: I330880a6e1671d0117845430db4076dfe1aba688
(cherry picked from commit fceb753bda651c4135f3f93a510e5fcb4c7542b8)

stack/smp/smp_act.cc

diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index fe21398..15dfae1 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -916,6 +916,15 @@
   uint8_t* p = p_data->p_data;
 
   SMP_TRACE_DEBUG("%s", __func__);
+
+  if (smp_command_has_invalid_parameters(p_cb)) {
+    tSMP_INT_DATA smp_int_data;
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    android_errorWriteLog(0x534e4554, "111937065");
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
 
   smp_key_distribution(p_cb, NULL);
@@ -956,13 +965,22 @@
 }
 
 /*******************************************************************************
- * Function     smp_proc_enc_info
+ * Function     smp_proc_id_info
  * Description  process identity information from peer device
  ******************************************************************************/
 void smp_proc_id_info(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   uint8_t* p = p_data->p_data;
 
   SMP_TRACE_DEBUG("%s", __func__);
+
+  if (smp_command_has_invalid_parameters(p_cb)) {
+    tSMP_INT_DATA smp_int_data;
+    smp_int_data.status = SMP_INVALID_PARAMETERS;
+    android_errorWriteLog(0x534e4554, "111937065");
+    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);
+    return;
+  }
+
   STREAM_TO_ARRAY(p_cb->tk, p, BT_OCTET16_LEN); /* reuse TK for IRK */
   smp_key_distribution_by_transport(p_cb, NULL);
 }