Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / 7e8f6cee34b4eb07a5f6e34a9b7b6784b6bb1feb^1..7e8f6cee34b4eb07a5f6e34a9b7b6784b6bb1feb / .
commit7e8f6cee34b4eb07a5f6e34a9b7b6784b6bb1feb[log] [tgz]
authorKarsten Tausche <karsten@fairphone.com>Fri Apr 12 23:20:02 2019 +0200
committerKarsten Tausche <karsten@fairphone.com>Fri Apr 12 23:20:03 2019 +0200
treefd32f1120d5a46d445d8f70bdb0745c5eb8c06b6
parentb484579970583704513c2dc3fd3f0ca4b3796aec [diff]
parent31df47ac458ad836e91dd09a7625dd40d6fc42ed [diff]
Merge the 2019-04-01 SPL branch from AOSP-Partner

* security-aosp-nyc-mr2-release:
  Revert "DO NOT MERGE Separate SDP procedure from bonding state (1/2)"
  DO NOT MERGE Fix length for L2CAP config type EXT FLOW
  DO NOT MERGE btm_proc_smp_cback: Don't access p_dev_rec if freed
  DO NOT MERGE process_l2cap_cmd: Fix OOB
  DO NOT MERGE Separate SDP procedure from bonding state (1/2)
  DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

Change-Id: I3bbba3f283c95d6ddfb5181545f046946b1f8bba

diff --git a/stack/btm/btm_ble.c b/stack/btm/btm_ble.c
index 9645cc5..04f800c 100644
--- a/stack/btm/btm_ble.c
+++ b/stack/btm/btm_ble.c

@@ -40,6 +40,7 @@
 #include "device/include/controller.h"
 #include "gap_api.h"
 #include "hcimsgs.h"
+#include "log/log.h"
 #include "l2c_int.h"
 #include "osi/include/log.h"
 #include "smp_api.h"
@@ -2251,6 +2252,13 @@
 
                 if (event == SMP_COMPLT_EVT && !p_data->cmplt.smp_over_br)
                 {
+                    p_dev_rec = btm_find_dev(bd_addr);
+                    if (p_dev_rec == NULL)
+                    {
+                        BTM_TRACE_ERROR ("%s: p_dev_rec is NULL", __func__);
+                        android_errorWriteLog(0x534e4554, "120612744");
+                        return 0;
+                    }
                     BTM_TRACE_DEBUG ("evt=SMP_COMPLT_EVT before update sec_level=0x%x sec_flags=0x%x", p_data->cmplt.sec_level , p_dev_rec->sec_flags );
 
                     res = (p_data->cmplt.reason == SMP_SUCCESS) ? BTM_SUCCESS : BTM_ERR_PROCESSING;

diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c
index 94514f9..e9d373d 100644
--- a/stack/l2cap/l2c_fcr.c
+++ b/stack/l2cap/l2c_fcr.c

@@ -871,7 +871,16 @@
 
     if (p_ccb->is_first_seg)
     {
+        if (p_buf->len < sizeof(sdu_length)) {
+          L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
+                            __func__, p_buf->len);
+          android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
+          /* Discard the buffer */
+          osi_free(p_buf);
+          return;
+        }
         STREAM_TO_UINT16(sdu_length, p);
+
         /* Check the SDU Length with local MTU size */
         if (sdu_length > p_ccb->local_conn_cfg.mtu)
         {
@@ -880,6 +889,9 @@
             return;
         }
 
+        p_buf->len -= sizeof(sdu_length);
+        p_buf->offset += sizeof(sdu_length);
+
         if (sdu_length < p_buf->len) {
             L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
             android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -899,8 +911,6 @@
         p_data->len = 0;
         p_ccb->ble_sdu_length = sdu_length;
         L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length);
-        p_buf->len -= sizeof(sdu_length);
-        p_buf->offset += sizeof(sdu_length);
         p_data->offset = 0;
     } else {
       p_data = p_ccb->ble_sdu;

diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index b8d0eb3..c9344f8 100644
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c

@@ -496,7 +496,11 @@
                 {
                 case L2CAP_CFG_TYPE_MTU:
                     cfg_info.mtu_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -505,7 +509,11 @@
 
                 case L2CAP_CFG_TYPE_FLUSH_TOUT:
                     cfg_info.flush_to_present = TRUE;
-                    if (p + 2 > p_next_cmd) {
+                    if (cfg_len != 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -514,7 +522,11 @@
 
                 case L2CAP_CFG_TYPE_QOS:
                     cfg_info.qos_present = TRUE;
-                    if (p + 2 + 5 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 5 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -529,7 +541,11 @@
 
                 case L2CAP_CFG_TYPE_FCR:
                     cfg_info.fcr_present = TRUE;
-                    if (p + 3 + 3 * 2 > p_next_cmd) {
+                    if (cfg_len != 3 + 3 * 2) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -543,7 +559,11 @@
 
                 case L2CAP_CFG_TYPE_FCS:
                     cfg_info.fcs_present = TRUE;
-                    if (p + 1 > p_next_cmd) {
+                    if (cfg_len != 1) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }
@@ -552,7 +572,11 @@
 
                 case L2CAP_CFG_TYPE_EXT_FLOW:
                     cfg_info.ext_flow_spec_present = TRUE;
-                    if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+                    if (cfg_len != 2 + 2 + 3 * 4) {
+                        android_errorWriteLog(0x534e4554, "119870451");
+                        return;
+                    }
+                    if (p + cfg_len > p_next_cmd) {
                         android_errorWriteLog(0x534e4554, "74202041");
                         return;
                     }

diff --git a/stack/l2cap/l2c_utils.c b/stack/l2cap/l2c_utils.c
index e774175..6e51747 100644
--- a/stack/l2cap/l2c_utils.c
+++ b/stack/l2cap/l2c_utils.c

@@ -859,6 +859,9 @@
             case L2CAP_CFG_TYPE_MTU:
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
             case L2CAP_CFG_TYPE_QOS:
+            case L2CAP_CFG_TYPE_FCR:
+            case L2CAP_CFG_TYPE_FCS:
+            case L2CAP_CFG_TYPE_EXT_FLOW:
                 p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
                 break;