system/bt
Revisión | d0450d0fc680ce0864c9fe178b239b002236485a (tree) |
---|---|
Tiempo | 2018-08-30 13:26:28 |
Autor | Hansong Zhang <hsz@goog...> |
Commiter | android-build-team Robot |
Add bound check for rfc_parse_data
Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)
@@ -89,13 +89,6 @@ | ||
89 | 89 | (pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \ |
90 | 90 | } |
91 | 91 | |
92 | -#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \ | |
93 | - { \ | |
94 | - (ea) = (*(p_data)&RFCOMM_EA); \ | |
95 | - (length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1); \ | |
96 | - if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \ | |
97 | - } | |
98 | - | |
99 | 92 | #define RFCOMM_FRAME_IS_CMD(initiator, cr) \ |
100 | 93 | (((initiator) && !(cr)) || (!(initiator) && (cr))) |
101 | 94 |
@@ -517,7 +517,16 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) { | ||
517 | 517 | return (RFC_EVENT_BAD_FRAME); |
518 | 518 | } |
519 | 519 | RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data); |
520 | - RFCOMM_PARSE_LEN_FIELD(eal, len, p_data); | |
520 | + | |
521 | + eal = *(p_data)&RFCOMM_EA; | |
522 | + len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1; | |
523 | + if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) { | |
524 | + len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); | |
525 | + } else if (eal == 0) { | |
526 | + RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len); | |
527 | + android_errorWriteLog(0x534e4554, "78288018"); | |
528 | + return RFC_EVENT_BAD_FRAME; | |
529 | + } | |
521 | 530 | |
522 | 531 | p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */ |
523 | 532 | p_buf->offset += (3 + !ead + !eal); |