[automerger skipped] DO NOT MERGE -- Merge PPRL.190405.003 into master
am: 0c3e577821 -s ours
am skip reason: subject contains skip directive
Change-Id: Ibe28405374ac927ed6c5b48f0dc585cc39986ad9
diff --git a/src/nfc/llcp/llcp_dlc.cc b/src/nfc/llcp/llcp_dlc.cc
index 2cae526..5882b9a 100644
--- a/src/nfc/llcp/llcp_dlc.cc
+++ b/src/nfc/llcp/llcp_dlc.cc
@@ -1071,6 +1071,10 @@
if (p_dlcb != nullptr) {
error_flags = 0;
+ if (length == 0) {
+ android_errorWriteLog(0x534e4554, "116788646");
+ return;
+ }
rcv_seq = LLCP_GET_NR(*p_data);
if (length != LLCP_PDU_RR_SIZE - LLCP_PDU_HEADER_SIZE) {
diff --git a/src/nfc/llcp/llcp_link.cc b/src/nfc/llcp/llcp_link.cc
index f7a2f69..1bff0a5 100644
--- a/src/nfc/llcp/llcp_link.cc
+++ b/src/nfc/llcp/llcp_link.cc
@@ -1137,7 +1137,7 @@
agf_length = p_agf->len;
p = (uint8_t*)(p_agf + 1) + p_agf->offset;
- while (agf_length >= LLCP_PDU_HEADER_SIZE) {
+ while (agf_length > 0) {
/* get length of PDU */
p_pdu_length = p;
BE_STREAM_TO_UINT16(pdu_length, p);
diff --git a/src/nfc/llcp/llcp_util.cc b/src/nfc/llcp/llcp_util.cc
index 80709e0..e173084 100644
--- a/src/nfc/llcp/llcp_util.cc
+++ b/src/nfc/llcp/llcp_util.cc
@@ -26,7 +26,6 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
-#include <log/log.h>
#include "bt_types.h"
#include "gki.h"
@@ -50,34 +49,20 @@
bool llcp_util_parse_link_params(uint16_t length, uint8_t* p_bytes) {
uint8_t param_type, param_len, *p = p_bytes;
- while (length >= 2) {
+ while (length) {
BE_STREAM_TO_UINT8(param_type, p);
- BE_STREAM_TO_UINT8(param_len, p);
- if (length < param_len + 2) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
- length -= param_len + 2;
+ length--;
switch (param_type) {
case LLCP_VERSION_TYPE:
- if (param_len != LLCP_VERSION_LEN) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_version, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer Version - 0x%02X", llcp_cb.lcb.peer_version);
break;
case LLCP_MIUX_TYPE:
- if (param_len != LLCP_MIUX_LEN) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_miu, p);
llcp_cb.lcb.peer_miu &= LLCP_MIUX_MASK;
llcp_cb.lcb.peer_miu += LLCP_DEFAULT_MIU;
@@ -86,22 +71,14 @@
break;
case LLCP_WKS_TYPE:
- if (param_len != LLCP_WKS_LEN) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT16(llcp_cb.lcb.peer_wks, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer WKS - 0x%04X", llcp_cb.lcb.peer_wks);
break;
case LLCP_LTO_TYPE:
- if (param_len != LLCP_LTO_LEN) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_lto, p);
llcp_cb.lcb.peer_lto *= LLCP_LTO_UNIT; /* 10ms unit */
DLOG_IF(INFO, nfc_debug_enabled)
@@ -109,11 +86,7 @@
break;
case LLCP_OPT_TYPE:
- if (param_len != LLCP_OPT_LEN) {
- android_errorWriteLog(0x534e4554, "114238578");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return false;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT8(llcp_cb.lcb.peer_opt, p);
DLOG_IF(INFO, nfc_debug_enabled)
<< StringPrintf("Peer OPT - 0x%02X", llcp_cb.lcb.peer_opt);
@@ -121,9 +94,17 @@
default:
LOG(ERROR) << StringPrintf("Unexpected type 0x%x", param_type);
+ BE_STREAM_TO_UINT8(param_len, p);
p += param_len;
break;
}
+
+ if (length >= param_len + 1)
+ length -= param_len + 1;
+ else {
+ LOG(ERROR) << StringPrintf("Bad LTV's");
+ return false;
+ }
}
return true;
}
@@ -493,24 +474,13 @@
p_params->sn[0] = 0;
p_params->sn[1] = 0;
- while (length >= 2) {
+ while (length) {
BE_STREAM_TO_UINT8(param_type, p);
- BE_STREAM_TO_UINT8(param_len, p);
- /* check remaining lengh */
- if (length < param_len + 2) {
- android_errorWriteLog(0x534e4554, "111660010");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
- length -= param_len + 2;
+ length--;
switch (param_type) {
case LLCP_MIUX_TYPE:
- if (param_len != LLCP_MIUX_LEN) {
- android_errorWriteLog(0x534e4554, "111660010");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT16(p_params->miu, p);
p_params->miu &= LLCP_MIUX_MASK;
p_params->miu += LLCP_DEFAULT_MIU;
@@ -520,11 +490,7 @@
break;
case LLCP_RW_TYPE:
- if (param_len != LLCP_RW_LEN) {
- android_errorWriteLog(0x534e4554, "111660010");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT8(p_params->rw, p);
p_params->rw &= 0x0F;
@@ -533,6 +499,8 @@
break;
case LLCP_SN_TYPE:
+ BE_STREAM_TO_UINT8(param_len, p);
+
if (param_len == 0) {
/* indicate that SN type is included without SN */
p_params->sn[1] = LLCP_SN_TYPE;
@@ -551,9 +519,18 @@
default:
LOG(ERROR) << StringPrintf("Unexpected type 0x%x", param_type);
+ BE_STREAM_TO_UINT8(param_len, p);
p += param_len;
break;
}
+
+ /* check remaining lengh */
+ if (length >= param_len + 1) {
+ length -= param_len + 1;
+ } else {
+ LOG(ERROR) << StringPrintf("Bad LTV's");
+ return LLCP_STATUS_FAIL;
+ }
}
return LLCP_STATUS_SUCCESS;
}
@@ -630,23 +607,13 @@
*p_miu = LLCP_DEFAULT_MIU;
*p_rw = LLCP_DEFAULT_RW;
- while (length >= 2) {
+ while (length) {
BE_STREAM_TO_UINT8(param_type, p);
- BE_STREAM_TO_UINT8(param_len, p);
- if (length < param_len + 2) {
- android_errorWriteLog(0x534e4554, "114237888");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
- length -= param_len + 2;
+ length--;
switch (param_type) {
case LLCP_MIUX_TYPE:
- if (param_len != LLCP_MIUX_LEN) {
- android_errorWriteLog(0x534e4554, "114237888");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT16((*p_miu), p);
(*p_miu) &= LLCP_MIUX_MASK;
(*p_miu) += LLCP_DEFAULT_MIU;
@@ -656,11 +623,7 @@
break;
case LLCP_RW_TYPE:
- if (param_len != LLCP_RW_LEN) {
- android_errorWriteLog(0x534e4554, "114237888");
- LOG(ERROR) << StringPrintf("Bad TLV's");
- return LLCP_STATUS_FAIL;
- }
+ BE_STREAM_TO_UINT8(param_len, p);
BE_STREAM_TO_UINT8((*p_rw), p);
(*p_rw) &= 0x0F;
@@ -670,9 +633,17 @@
default:
LOG(ERROR) << StringPrintf("Unexpected type 0x%x", param_type);
+ BE_STREAM_TO_UINT8(param_len, p);
p += param_len;
break;
}
+
+ if (length >= param_len + 1)
+ length -= param_len + 1;
+ else {
+ LOG(ERROR) << StringPrintf("Bad LTV's");
+ return LLCP_STATUS_FAIL;
+ }
}
return LLCP_STATUS_SUCCESS;
}
