OSDN > Desarrollador > hafixie93 > Chamber > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revisión	b4e8a17daa72b241ae4ec746536dd489e9ade508 (tree)
Tiempo	2019-11-26 16:04:41
Autor	Ted Wang <tedwang@goog...>
Commiter	Ted Wang

Log Message

Fix potential OOB write in btm_read_remote_ext_features_complete

Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.

Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1

Cambiar Resumen

modified: stack/btm/btm_acl.cc (diff)
modified: stack/btm/btm_int.h (diff)
modified: stack/btu/btu_hcif.cc (diff)
modified: stack/include/hcidefs.h (diff)

Diferencia incremental

--- a/stack/btm/btm_acl.cc

+++ b/stack/btm/btm_acl.cc

		@@ -46,6 +46,7 @@
46	46	#include "device/include/controller.h"
47	47	#include "hcidefs.h"
48	48	#include "hcimsgs.h"
	49	+#include "log/log.h"
49	50	#include "l2c_int.h"
50	51	#include "osi/include/osi.h"
51	52

		@@ -1062,7 +1063,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
1062	1063	* Returns void
1063	1064	*
1064	1065	******************************************************************************/
1065		-void btm_read_remote_ext_features_complete(uint8_t* p) {
	1066	+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
1066	1067	tACL_CONN* p_acl_cb;
1067	1068	uint8_t page_num, max_page;
1068	1069	uint16_t handle;

		@@ -1070,6 +1071,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1070	1071
1071	1072	BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
1072	1073
	1074	+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
	1075	+ android_errorWriteLog(0x534e4554, "141552859");
	1076	+ BTM_TRACE_ERROR(
	1077	+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
	1078	+ evt_len);
	1079	+ return;
	1080	+ }
	1081	+
1073	1082	++p;
1074	1083	STREAM_TO_UINT16(handle, p);
1075	1084	STREAM_TO_UINT8(page_num, p);

		@@ -1089,6 +1098,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1089	1098	return;
1090	1099	}
1091	1100
	1101	+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
	1102	+ android_errorWriteLog(0x534e4554, "141552859");
	1103	+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
	1104	+ page_num);
	1105	+ return;
	1106	+ }
	1107	+
	1108	+ if (page_num > max_page) {
	1109	+ BTM_TRACE_WARNING(
	1110	+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
	1111	+ "invalid", page_num, max_page);
	1112	+ }
	1113	+
1092	1114	p_acl_cb = &btm_cb.acl_db[acl_idx];
1093	1115
1094	1116	/* Copy the received features page */

--- a/stack/btm/btm_int.h

+++ b/stack/btm/btm_int.h

		@@ -110,7 +110,7 @@ extern void btm_acl_encrypt_change(uint16_t handle, uint8_t status,
110	110	extern uint16_t btm_get_acl_disc_reason_code(void);
111	111	extern tBTM_STATUS btm_remove_acl(BD_ADDR bd_addr, tBT_TRANSPORT transport);
112	112	extern void btm_read_remote_features_complete(uint8_t* p);
113		-extern void btm_read_remote_ext_features_complete(uint8_t* p);
	113	+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
114	114	extern void btm_read_remote_ext_features_failed(uint8_t status,
115	115	uint16_t handle);
116	116	extern void btm_read_remote_version_complete(uint8_t* p);

--- a/stack/btu/btu_hcif.cc

+++ b/stack/btu/btu_hcif.cc

		@@ -72,7 +72,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
72	72	static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
73	73	static void btu_hcif_encryption_change_evt(uint8_t* p);
74	74	static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
75		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
	75	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	76	+ uint8_t evt_len);
76	77	static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
77	78	static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
78	79	static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);

		@@ -184,7 +185,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
184	185	btu_hcif_read_rmt_features_comp_evt(p);
185	186	break;
186	187	case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
187		- btu_hcif_read_rmt_ext_features_comp_evt(p);
	188	+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
188	189	break;
189	190	case HCI_READ_RMT_VERSION_COMP_EVT:
190	191	btu_hcif_read_rmt_version_comp_evt(p);

		@@ -800,7 +801,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
800	801	* Returns void
801	802	*
802	803	******************************************************************************/
803		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
	804	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	805	+ uint8_t evt_len) {
804	806	uint8_t* p_cur = p;
805	807	uint8_t status;
806	808	uint16_t handle;

		@@ -808,7 +810,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
808	810	STREAM_TO_UINT8(status, p_cur);
809	811
810	812	if (status == HCI_SUCCESS)
811		- btm_read_remote_ext_features_complete(p);
	813	+ btm_read_remote_ext_features_complete(p, evt_len);
812	814	else {
813	815	STREAM_TO_UINT16(handle, p_cur);
814	816	btm_read_remote_ext_features_failed(status, handle);

--- a/stack/include/hcidefs.h

+++ b/stack/include/hcidefs.h

		@@ -1567,6 +1567,8 @@ typedef struct {
1567	1567
1568	1568	#define HCI_FEATURE_BYTES_PER_PAGE 8
1569	1569
	1570	+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
	1571	+
1570	1572	#define HCI_FEATURES_KNOWN(x) \
1571	1573	(((x)[0] \| (x)[1] \| (x)[2] \| (x)[3] \| (x)[4] \| (x)[5] \| (x)[6] \| (x)[7]) != 0)
1572	1574

system-bt Fork