Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3
* dev/11/fp3/security-aosp-rvc-release:
Fix OOB access in avdt_scb_hdl_pkt_no_frag
Revert "Fix OOB access in avdt_scb_hdl_pkt_no_frag"
Fix an OOB bug in register_notification_rsp
Fix OOB access in avdt_scb_hdl_pkt_no_frag
Fix an OOB write in SDP_AddAttribute
Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
Fix an OOB Write bug in gatt_check_write_long_terminate
Add bounds check in avdt_scb_act.cc
Change-Id: Iea0e5ebf2020354eb70d0eb4674a0b137cd2126e
diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
index 9fc221e..b93a6bf 100755
--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc
@@ -1968,6 +1968,11 @@
dump_rc_notification_event_id(event_id));
std::unique_lock<std::mutex> lock(btif_rc_cb.lock);
+ if (event_id > MAX_RC_NOTIFICATIONS) {
+ BTIF_TRACE_ERROR("Invalid event id");
+ return BT_STATUS_PARM_INVALID;
+ }
+
memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
avrc_rsp.reg_notif.event_id = event_id;
diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 388419b..d44cf12 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc
@@ -708,6 +708,11 @@
BT_HDR* p_buf, uint16_t frames_per_packet) {
uint8_t* p;
+ // there is a timestamp right following p_buf
+ if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+ return false;
+ }
+
p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
p_buf->len += A2DP_SBC_MPL_HDR_LEN;
diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index ff9ade2..f2de4ba 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -258,8 +258,8 @@
p += ex_len * 4;
}
- if ((p - p_start) > len) {
- android_errorWriteLog(0x534e4554, "142546355");
+ if ((p - p_start) >= len) {
+ AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__);
osi_free_and_reset((void**)&p_data->p_pkt);
return;
}
@@ -268,11 +268,11 @@
/* adjust length for any padding at end of packet */
if (o_p) {
/* padding length in last byte of packet */
- pad_len = *(p_start + len);
+ pad_len = *(p_start + len - 1);
}
/* do sanity check */
- if (pad_len > (len - offset)) {
+ if (pad_len >= (len - offset)) {
AVDT_TRACE_WARNING("Got bad media packet");
osi_free_and_reset((void**)&p_data->p_pkt);
}
@@ -982,6 +982,11 @@
/* Build a media packet, and add an RTP header if required. */
if (add_rtp_header) {
+ if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+ android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+ return;
+ }
+
ssrc = avdt_scb_gen_ssrc(p_scb);
p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 842cb6c..ff1e5af 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -572,7 +572,8 @@
LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
gatt_dbg_op_name(op_code), len);
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
LOG(ERROR) << "illegal prepare write response length, discard";
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
return;
@@ -581,7 +582,7 @@
STREAM_TO_UINT16(value.handle, p);
STREAM_TO_UINT16(value.offset, p);
- value.len = len - 4;
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
memcpy(value.value, p, value.len);
diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index 2cc04b0..dd06230 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc
@@ -357,6 +357,11 @@
uint16_t xx, yy, zz;
tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
+ if (p_val == nullptr) {
+ SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+ return (false);
+ }
+
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
(attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -393,6 +398,13 @@
if (p_rec->record_handle == handle) {
tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
+ // error out early, no need to look up
+ if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+ SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+ "full, skip adding the attribute", handle);
+ return (false);
+ }
+
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
/* The attribute exists. replace it */
@@ -432,15 +444,13 @@
attr_len = 0;
}
- if ((attr_len > 0) && (p_val != 0)) {
+ if (attr_len > 0) {
p_attr->len = attr_len;
memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
p_rec->free_pad_ptr += attr_len;
- } else if ((attr_len == 0 &&
- p_attr->len !=
- 0) || /* if truncate to 0 length, simply don't add */
- p_val == 0) {
+ } else if (attr_len == 0 && p_attr->len != 0) {
+ /* if truncate to 0 length, simply don't add */
SDP_TRACE_ERROR(
"SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
attr_id, attr_len);