Add bound check for rfc_parse_data
Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
diff --git a/stack/include/rfcdefs.h b/stack/include/rfcdefs.h
index 5118ccd..ab3ceb6 100644
--- a/stack/include/rfcdefs.h
+++ b/stack/include/rfcdefs.h
@@ -89,13 +89,6 @@
(pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \
}
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \
- { \
- (ea) = (*(p_data)&RFCOMM_EA); \
- (length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1); \
- if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \
- }
-
#define RFCOMM_FRAME_IS_CMD(initiator, cr) \
(((initiator) && !(cr)) || (!(initiator) && (cr)))
diff --git a/stack/rfcomm/rfc_ts_frames.cc b/stack/rfcomm/rfc_ts_frames.cc
index aa4138f..b959827 100644
--- a/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@ -26,6 +26,7 @@
#include "bt_common.h"
#include "bt_target.h"
#include "l2c_api.h"
+#include "log/log.h"
#include "port_api.h"
#include "port_int.h"
#include "rfc_int.h"
@@ -516,7 +517,16 @@
return (RFC_EVENT_BAD_FRAME);
}
RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
- RFCOMM_PARSE_LEN_FIELD(eal, len, p_data);
+
+ eal = *(p_data)&RFCOMM_EA;
+ len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
+ if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
+ len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
+ } else if (eal == 0) {
+ RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
+ android_errorWriteLog(0x534e4554, "78288018");
+ return RFC_EVENT_BAD_FRAME;
+ }
p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
p_buf->offset += (3 + !ead + !eal);