commit 329b7cfb446ed34a2b67e31267ff61ce12f1d70c
author Jakub Pawlowski <jpawlowski@google.com> Thu Jun 21 22:56:11 2018 -0700
committer Jakub Pawlowski <jpawlowski@google.com> Fri Jul 13 04:46:24 2018 +0000
tree c3e5f0bf1a2a1c0a99e1d6c36934ced4ff9cdfc6
parent bdb5135092736e980dbb6c2f9893f1d1840055ff

Add packet length checks in l2cble_process_sig_cmd

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717

stack/l2cap/l2c_ble.c

diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c
index 7ebbef3..7e07480 100644
--- a/stack/l2cap/l2c_ble.c
+++ b/stack/l2cap/l2c_ble.c
@@ -630,6 +630,13 @@
     UINT16          credit;
     p_pkt_end = p + pkt_len;
 
+    if (p + 4 > p_pkt_end)
+    {
+        android_errorWriteLog(0x534e4554, "80261585");
+        L2CAP_TRACE_WARNING ("%s bad packet length", __func__);
+        return;
+    }
+
     STREAM_TO_UINT8  (cmd_code, p);
     STREAM_TO_UINT8  (id, p);
     STREAM_TO_UINT16 (cmd_len, p);
@@ -655,6 +662,12 @@
             break;
 
         case L2CAP_CMD_BLE_UPDATE_REQ:
+            if (p + 8 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */
             STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */
             STREAM_TO_UINT16 (latency, p);  /* 0x0000 - 0x03E8 */
@@ -697,6 +710,12 @@
             break;
 
         case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:
+            if (p + 10 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (con_info.psm, p);
             STREAM_TO_UINT16 (rcid, p);
             STREAM_TO_UINT16 (mtu, p);
@@ -771,6 +790,12 @@
             if (p_ccb)
             {
                 L2CAP_TRACE_DEBUG ("I remember the connection req");
+                if (p + 10 > p_pkt_end)
+                {
+                    android_errorWriteLog(0x534e4554, "80261585");
+                    L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                    return;
+                }
                 STREAM_TO_UINT16 (p_ccb->remote_cid, p);
                 STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mtu, p);
                 STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mps, p);
@@ -817,6 +842,12 @@
             break;
 
         case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:
+            if (p + 4 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16(lcid, p);
             if((p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid)) == NULL)
             {
@@ -851,6 +882,12 @@
             break;
 
          case L2CAP_CMD_DISC_RSP:
+            if (p + 4 > p_pkt_end)
+            {
+                android_errorWriteLog(0x534e4554, "80261585");
+                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+                return;
+            }
             STREAM_TO_UINT16 (rcid, p);
             STREAM_TO_UINT16 (lcid, p);