commit 9343dda4d3b93e8b90249a0d9e18dcd38f6299be
author Android Build Merger (Role) <noreply-android-build-merger@google.com> Fri Aug 10 17:43:52 2018 +0000
committer Android Build Merger (Role) <noreply-android-build-merger@google.com> Fri Aug 10 17:43:52 2018 +0000
tree 38bec8d4ac86139be758cecf1a1eac8c11dd12a2
parent fc08bac2267960c8c8c019e769410e78c9029abc
parent 353faee793b4f0ce349ef2c950902be561b64827

[automerger] Checks the SMP length to fix OOB read am: 353faee793

Change-Id: I897f7f6dec710a102f8fcf0b307be6973eedf994

stack/smp/smp_act.c

diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
index 4c6cd59..e3e23e0 100644
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -1012,6 +1012,14 @@
     UINT8   *p = (UINT8 *)p_data;
 
     SMP_TRACE_DEBUG("%s", __func__);
+
+    if (smp_command_has_invalid_parameters(p_cb)) {
+        uint8_t reason = SMP_INVALID_PARAMETERS;
+        android_errorWriteLog(0x534e4554, "111937065");
+        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);
 
     smp_key_distribution(p_cb, NULL);
@@ -1045,7 +1053,7 @@
 }
 
 /*******************************************************************************
-** Function     smp_proc_enc_info
+** Function     smp_proc_id_info
 ** Description  process identity information from peer device
 *******************************************************************************/
 void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
@@ -1053,6 +1061,14 @@
     UINT8   *p = (UINT8 *)p_data;
 
     SMP_TRACE_DEBUG("%s", __func__);
+
+    if (smp_command_has_invalid_parameters(p_cb)) {
+        uint8_t reason = SMP_INVALID_PARAMETERS;
+        android_errorWriteLog(0x534e4554, "111937065");
+        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
+        return;
+    }
+
     STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN);   /* reuse TK for IRK */
     smp_key_distribution_by_transport(p_cb, NULL);
 }