HID Device: Fix OOB in register_app
Bug: 113037220
Bug: 113111784
Test: manual
Change-Id: I91bcd5032959458b926c479160c7e391b8de313b
(cherry picked from commit 6aa2d0a5fab28c8829aab4099da0ad450e451c1e)
diff --git a/bta/hd/bta_hd_api.cc b/bta/hd/bta_hd_api.cc
index 5459747..40963cc 100644
--- a/bta/hd/bta_hd_api.cc
+++ b/bta/hd/bta_hd_api.cc
@@ -27,6 +27,7 @@
#if defined(BTA_HD_INCLUDED) && (BTA_HD_INCLUDED == TRUE)
+#include <log/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -124,6 +125,10 @@
p_buf->subclass = p_app_info->subclass;
+ if (p_app_info->descriptor.dl_len > BTA_HD_APP_DESCRIPTOR_LEN) {
+ p_app_info->descriptor.dl_len = BTA_HD_APP_DESCRIPTOR_LEN;
+ android_errorWriteLog(0x534e4554, "113111784");
+ }
p_buf->d_len = p_app_info->descriptor.dl_len;
memcpy(p_buf->d_data, p_app_info->descriptor.dsc_list,
p_app_info->descriptor.dl_len);
diff --git a/btif/src/btif_hd.cc b/btif/src/btif_hd.cc
index bc0992d..6d83167 100644
--- a/btif/src/btif_hd.cc
+++ b/btif/src/btif_hd.cc
@@ -25,15 +25,16 @@
*
*
***********************************************************************************/
+#define LOG_TAG "BTIF_HD"
+
#include <errno.h>
#include <hardware/bluetooth.h>
#include <hardware/bt_hd.h>
+#include <log/log.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#define LOG_TAG "BTIF_HD"
-
#include "bta_api.h"
#include "bta_hd_api.h"
#include "bta_hh_api.h"
@@ -399,13 +400,18 @@
return BT_STATUS_BUSY;
}
- app_info.p_name = (char*)osi_malloc(BTIF_HD_APP_NAME_LEN);
- memcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN);
- app_info.p_description = (char*)osi_malloc(BTIF_HD_APP_DESCRIPTION_LEN);
- memcpy(app_info.p_description, p_app_param->description,
- BTIF_HD_APP_DESCRIPTION_LEN);
- app_info.p_provider = (char*)osi_malloc(BTIF_HD_APP_PROVIDER_LEN);
- memcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN);
+ if (strlen(p_app_param->name) >= BTIF_HD_APP_NAME_LEN ||
+ strlen(p_app_param->description) >= BTIF_HD_APP_DESCRIPTION_LEN ||
+ strlen(p_app_param->provider) >= BTIF_HD_APP_PROVIDER_LEN) {
+ android_errorWriteLog(0x534e4554, "113037220");
+ }
+ app_info.p_name = (char*)osi_calloc(BTIF_HD_APP_NAME_LEN);
+ strlcpy(app_info.p_name, p_app_param->name, BTIF_HD_APP_NAME_LEN);
+ app_info.p_description = (char*)osi_calloc(BTIF_HD_APP_DESCRIPTION_LEN);
+ strlcpy(app_info.p_description, p_app_param->description,
+ BTIF_HD_APP_DESCRIPTION_LEN);
+ app_info.p_provider = (char*)osi_calloc(BTIF_HD_APP_PROVIDER_LEN);
+ strlcpy(app_info.p_provider, p_app_param->provider, BTIF_HD_APP_PROVIDER_LEN);
app_info.subclass = p_app_param->subclass;
app_info.descriptor.dl_len = p_app_param->desc_list_len;
app_info.descriptor.dsc_list =
