Google Git
Sign in
android / platform / system / bt / a50e704^! / .
commita50e70468c0a8d207e416e273d05a08635bdd45f[log] [tgz]
authorHansong Zhang <hsz@google.com>Wed Jan 10 13:43:25 2018 -0800
committerandroid-build-team Robot <android-build-team-robot@google.com>Thu Jan 18 19:08:06 2018 +0000
tree49206a08e59ca69fcb1c8b12fd803b0ddeb6c6e9
parentf0edf6571d2d58e66ee0b100ebe49c585d31489f [diff]
Fix unexpected behavior in reading BNEP packets

Bug: 67863755
Bug: 69177251
Bug: 69177292
Bug: 69271284
Test: BNEP still works
Change-Id: I41b8bfe5e123a56b8812124178663735f2bf3372
(cherry picked from commit 9844ddac4c0aaf217326c56f2814d145c11eb042)

diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index ce09c47..475cc28 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc

@@ -34,6 +34,7 @@
 
 #include "l2c_api.h"
 #include "l2cdefs.h"
+#include "log/log.h"
 
 #include "btm_api.h"
 #include "btu.h"
@@ -474,18 +475,20 @@
       org_len = rem_len;
       new_len = 0;
       do {
+        if (org_len < 2) break;
         ext = *p++;
         length = *p++;
         p += length;
 
+        new_len = (length + 2);
+        if (new_len > org_len) break;
+
         if ((!(ext & 0x7F)) && (*p > BNEP_FILTER_MULTI_ADDR_RESPONSE_MSG))
           bnep_send_command_not_understood(p_bcb, *p);
 
-        new_len += (length + 2);
-
-        if (new_len > org_len) break;
-
+        org_len -= new_len;
       } while (ext & 0x80);
+      android_errorWriteLog(0x534e4554, "67863755");
     }
 
     osi_free(p_buf);
@@ -530,6 +533,8 @@
       } else {
         while (extension_present && p && rem_len) {
           ext_type = *p++;
+          rem_len--;
+          android_errorWriteLog(0x534e4554, "69271284");
           extension_present = ext_type >> 7;
           ext_type &= 0x7F;
 

diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc
index a362635..3bab9ee 100644
--- a/stack/bnep/bnep_utils.cc
+++ b/stack/bnep/bnep_utils.cc

@@ -22,6 +22,8 @@
  *
  ******************************************************************************/
 
+#include <cutils/log.h>
+
 #include <stdio.h>
 #include <string.h>
 #include "bnep_int.h"
@@ -750,6 +752,13 @@
       break;
 
     case BNEP_SETUP_CONNECTION_REQUEST_MSG:
+      if (*rem_len < 1) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_SETUP_CONNECTION_REQUEST_MSG with bad length",
+            __func__);
+        android_errorWriteLog(0x534e4554, "69177292");
+        goto bad_packet_length;
+      }
       len = *p++;
       if (*rem_len < ((2 * len) + 1)) {
         BNEP_TRACE_ERROR(
@@ -775,6 +784,13 @@
       break;
 
     case BNEP_FILTER_NET_TYPE_SET_MSG:
+      if (*rem_len < 2) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_FILTER_NET_TYPE_SET_MSG with bad length",
+            __func__);
+        android_errorWriteLog(0x534e4554, "69177292");
+        goto bad_packet_length;
+      }
       BE_STREAM_TO_UINT16(len, p);
       if (*rem_len < (len + 2)) {
         BNEP_TRACE_ERROR(
@@ -800,6 +816,13 @@
       break;
 
     case BNEP_FILTER_MULTI_ADDR_SET_MSG:
+      if (*rem_len < 2) {
+        BNEP_TRACE_ERROR(
+            "%s: Received BNEP_FILTER_MULTI_ADDR_SET_MSG with bad length",
+            __func__);
+        android_errorWriteLog(0x534e4554, "69177292");
+        goto bad_packet_length;
+      }
       BE_STREAM_TO_UINT16(len, p);
       if (*rem_len < (len + 2)) {
         BNEP_TRACE_ERROR(