commit cc364611362cc5bc896b400bdc471a617d1ac628
author Pavlin Radoslavov <pavlin@google.com> Wed Sep 05 18:21:31 2018 -0700
committer android-build-team Robot <android-build-team-robot@google.com> Mon Sep 10 23:20:25 2018 +0000
tree 303bfe4fca77a80804a5e95bf3130a26315e48dd
parent 99d54d0c7dbab6c80f15bbf886ed203b2a547453

Check data length when parsing AVRCP vendor specific command responses

Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)

stack/avrc/avrc_pars_ct.cc

diff --git a/stack/avrc/avrc_pars_ct.cc b/stack/avrc/avrc_pars_ct.cc
index 038efe6..a7a42a5 100644
--- a/stack/avrc/avrc_pars_ct.cc
+++ b/stack/avrc/avrc_pars_ct.cc
@@ -56,13 +56,33 @@
   if (p_msg->vendor_len == 0) return AVRC_STS_NO_ERROR;
   if (p_msg->p_vendor_data == NULL) return AVRC_STS_INTERNAL_ERR;
 
+  if (p_msg->vendor_len < 4) {
+    android_errorWriteLog(0x534e4554, "111450531");
+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
+                       __func__, p_msg->vendor_len);
+    return AVRC_STS_INTERNAL_ERR;
+  }
   p = p_msg->p_vendor_data;
   BE_STREAM_TO_UINT8(p_result->pdu, p);
   p++; /* skip the reserved/packe_type byte */
   BE_STREAM_TO_UINT16(len, p);
-  AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x", __func__,
-                   p_msg->hdr.ctype, p_result->pdu, len, len);
+  AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x",
+                   __func__, p_msg->hdr.ctype, p_result->pdu, len, len,
+                   p_msg->vendor_len);
+  if (p_msg->vendor_len < len + 4) {
+    android_errorWriteLog(0x534e4554, "111450531");
+    AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
+                       __func__, p_msg->vendor_len, len + 4);
+    return AVRC_STS_INTERNAL_ERR;
+  }
+
   if (p_msg->hdr.ctype == AVRC_RSP_REJ) {
+    if (len < 1) {
+      android_errorWriteLog(0x534e4554, "111450531");
+      AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1",
+                         __func__, len);
+      return AVRC_STS_INTERNAL_ERR;
+    }
     p_result->rsp.status = *p;
     return p_result->rsp.status;
   }
@@ -83,12 +103,26 @@
 
     case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */
 #if (AVRC_ADV_CTRL_INCLUDED == TRUE)
+      if (len < 1) {
+        android_errorWriteLog(0x534e4554, "111450531");
+        AVRC_TRACE_WARNING(
+            "%s: invalid parameter length %d: must be at least 1", __func__,
+            len);
+        return AVRC_STS_INTERNAL_ERR;
+      }
       BE_STREAM_TO_UINT8(eventid, p);
       if (AVRC_EVT_VOLUME_CHANGE == eventid &&
           (AVRC_RSP_CHANGED == p_msg->hdr.ctype ||
            AVRC_RSP_INTERIM == p_msg->hdr.ctype ||
            AVRC_RSP_REJ == p_msg->hdr.ctype ||
            AVRC_RSP_NOT_IMPL == p_msg->hdr.ctype)) {
+        if (len < 2) {
+          android_errorWriteLog(0x534e4554, "111450531");
+          AVRC_TRACE_WARNING(
+              "%s: invalid parameter length %d: must be at least 2", __func__,
+              len);
+          return AVRC_STS_INTERNAL_ERR;
+        }
         p_result->reg_notif.status = p_msg->hdr.ctype;
         p_result->reg_notif.event_id = eventid;
         BE_STREAM_TO_UINT8(p_result->reg_notif.param.volume, p);