OSDN > Developer > hafixie93 > Chamber > system-bt > Commit

system-bt
Fork

R/O
HTTP
SSH
HTTPS

Commit

Commit MetaInfo

Revision	5996428f328f390a3cd9cb67a114f031c5541f75 (tree)
Time	2019-12-17 05:38:44
Author	Ted Wang <tedwang@goog...>
Commiter	Manjae Park

Log Message

Fix potential OOB write in btm_read_remote_ext_features_complete

Add event length check to avoid hci event sent from controller not
correct.
Add page number check to avoid page number is bigger than
HCI_EXT_FEATURES_PAGE_MAX.

Bug: 141552859
Bug: 144205318
Test: inject function
Merged-In: Iaca4db4ee9bf27362f62aba0da088727e98955d1
Change-Id: Iaca4db4ee9bf27362f62aba0da088727e98955d1
(cherry picked from commit 6dfae174853e0c49f36362e59a2c7ca607f01cf9)

Change Summary

modified: stack/btm/btm_acl.cc (diff)
modified: stack/btm/btm_int.h (diff)
modified: stack/btu/btu_hcif.cc (diff)
modified: stack/include/hcidefs.h (diff)

Incremental Difference

--- a/stack/btm/btm_acl.cc

+++ b/stack/btm/btm_acl.cc

		@@ -47,6 +47,7 @@
47	47	#include "device/include/interop.h"
48	48	#include "hcidefs.h"
49	49	#include "hcimsgs.h"
	50	+#include "log/log.h"
50	51	#include "l2c_int.h"
51	52	#include "osi/include/osi.h"
52	53

		@@ -1062,7 +1063,7 @@ void btm_read_remote_features_complete(uint8_t* p) {
1062	1063	* Returns void
1063	1064	*
1064	1065	******************************************************************************/
1065		-void btm_read_remote_ext_features_complete(uint8_t* p) {
	1066	+void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len) {
1066	1067	tACL_CONN* p_acl_cb;
1067	1068	uint8_t page_num, max_page;
1068	1069	uint16_t handle;

		@@ -1070,6 +1071,14 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1070	1071
1071	1072	BTM_TRACE_DEBUG("btm_read_remote_ext_features_complete");
1072	1073
	1074	+ if (evt_len < HCI_EXT_FEATURES_SUCCESS_EVT_LEN) {
	1075	+ android_errorWriteLog(0x534e4554, "141552859");
	1076	+ BTM_TRACE_ERROR(
	1077	+ "btm_read_remote_ext_features_complete evt length too short. length=%d",
	1078	+ evt_len);
	1079	+ return;
	1080	+ }
	1081	+
1073	1082	++p;
1074	1083	STREAM_TO_UINT16(handle, p);
1075	1084	STREAM_TO_UINT8(page_num, p);

		@@ -1089,6 +1098,19 @@ void btm_read_remote_ext_features_complete(uint8_t* p) {
1089	1098	return;
1090	1099	}
1091	1100
	1101	+ if (page_num > HCI_EXT_FEATURES_PAGE_MAX) {
	1102	+ android_errorWriteLog(0x534e4554, "141552859");
	1103	+ BTM_TRACE_ERROR("btm_read_remote_ext_features_complete num_page=%d invalid",
	1104	+ page_num);
	1105	+ return;
	1106	+ }
	1107	+
	1108	+ if (page_num > max_page) {
	1109	+ BTM_TRACE_WARNING(
	1110	+ "btm_read_remote_ext_features_complete num_page=%d, max_page=%d "
	1111	+ "invalid", page_num, max_page);
	1112	+ }
	1113	+
1092	1114	p_acl_cb = &btm_cb.acl_db[acl_idx];
1093	1115
1094	1116	/* Copy the received features page */

--- a/stack/btm/btm_int.h

+++ b/stack/btm/btm_int.h

		@@ -117,7 +117,7 @@ extern uint16_t btm_get_acl_disc_reason_code(void);
117	117	extern tBTM_STATUS btm_remove_acl(const RawAddress& bd_addr,
118	118	tBT_TRANSPORT transport);
119	119	extern void btm_read_remote_features_complete(uint8_t* p);
120		-extern void btm_read_remote_ext_features_complete(uint8_t* p);
	120	+extern void btm_read_remote_ext_features_complete(uint8_t* p, uint8_t evt_len);
121	121	extern void btm_read_remote_ext_features_failed(uint8_t status,
122	122	uint16_t handle);
123	123	extern void btm_read_remote_version_complete(uint8_t* p);

--- a/stack/btu/btu_hcif.cc

+++ b/stack/btu/btu_hcif.cc

		@@ -70,7 +70,8 @@ static void btu_hcif_authentication_comp_evt(uint8_t* p);
70	70	static void btu_hcif_rmt_name_request_comp_evt(uint8_t* p, uint16_t evt_len);
71	71	static void btu_hcif_encryption_change_evt(uint8_t* p);
72	72	static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p);
73		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p);
	73	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	74	+ uint8_t evt_len);
74	75	static void btu_hcif_read_rmt_version_comp_evt(uint8_t* p);
75	76	static void btu_hcif_qos_setup_comp_evt(uint8_t* p);
76	77	static void btu_hcif_command_complete_evt(BT_HDR* response, void* context);

		@@ -194,7 +195,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
194	195	btu_hcif_read_rmt_features_comp_evt(p);
195	196	break;
196	197	case HCI_READ_RMT_EXT_FEATURES_COMP_EVT:
197		- btu_hcif_read_rmt_ext_features_comp_evt(p);
	198	+ btu_hcif_read_rmt_ext_features_comp_evt(p, hci_evt_len);
198	199	break;
199	200	case HCI_READ_RMT_VERSION_COMP_EVT:
200	201	btu_hcif_read_rmt_version_comp_evt(p);

		@@ -791,7 +792,8 @@ static void btu_hcif_read_rmt_features_comp_evt(uint8_t* p) {
791	792	* Returns void
792	793	*
793	794	******************************************************************************/
794		-static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
	795	+static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p,
	796	+ uint8_t evt_len) {
795	797	uint8_t* p_cur = p;
796	798	uint8_t status;
797	799	uint16_t handle;

		@@ -799,7 +801,7 @@ static void btu_hcif_read_rmt_ext_features_comp_evt(uint8_t* p) {
799	801	STREAM_TO_UINT8(status, p_cur);
800	802
801	803	if (status == HCI_SUCCESS)
802		- btm_read_remote_ext_features_complete(p);
	804	+ btm_read_remote_ext_features_complete(p, evt_len);
803	805	else {
804	806	STREAM_TO_UINT16(handle, p_cur);
805	807	btm_read_remote_ext_features_failed(status, handle);

--- a/stack/include/hcidefs.h

+++ b/stack/include/hcidefs.h

		@@ -1296,6 +1296,8 @@ typedef struct {
1296	1296
1297	1297	#define HCI_FEATURE_BYTES_PER_PAGE 8
1298	1298
	1299	+#define HCI_EXT_FEATURES_SUCCESS_EVT_LEN 13
	1300	+
1299	1301	#define HCI_FEATURES_KNOWN(x) \
1300	1302	(((x)[0] \| (x)[1] \| (x)[2] \| (x)[3] \| (x)[4] \| (x)[5] \| (x)[6] \| (x)[7]) != 0)
1301	1303

system-bt Fork