Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / refs/tags/rel/11/fp3/8901.4.A.0022.0^1..refs/tags/rel/11/fp3/8901.4.A.0022.0 / .
commit077f473abcbdacaac69f0a3d6f3f1723524686b9[log] [tgz]
authorBharath <Bharath.Prakash@harman.com>Wed Mar 22 20:05:16 2023 +0530
committerBharath <Bharath.Prakash@harman.com>Wed Mar 22 20:05:16 2023 +0530
tree68867fafd741222976e587aa2c7f7ea81c6f4ab4
parent095553097727040c4c70b2421919d3a54bf9e905 [diff]
parent1671d8e8c7fe5668fa3904c2be502dba457a442e [diff]
Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3

* dev/11/fp3/security-aosp-rvc-release:
  Fix OOB access in avdt_scb_hdl_pkt_no_frag
  Revert "Fix OOB access in avdt_scb_hdl_pkt_no_frag"
  Fix an OOB bug in register_notification_rsp
  Fix OOB access in avdt_scb_hdl_pkt_no_frag
  Fix an OOB write in SDP_AddAttribute
  Fix an OOB access bug in A2DP_BuildMediaPayloadHeaderSbc
  Fix an OOB Write bug in gatt_check_write_long_terminate
  Add bounds check in avdt_scb_act.cc

Change-Id: Iea0e5ebf2020354eb70d0eb4674a0b137cd2126e

diff --git a/btif/src/btif_rc.cc b/btif/src/btif_rc.cc
index 9fc221e..b93a6bf 100755
--- a/btif/src/btif_rc.cc
+++ b/btif/src/btif_rc.cc

@@ -1968,6 +1968,11 @@
                    dump_rc_notification_event_id(event_id));
   std::unique_lock<std::mutex> lock(btif_rc_cb.lock);
 
+  if (event_id > MAX_RC_NOTIFICATIONS) {
+    BTIF_TRACE_ERROR("Invalid event id");
+    return BT_STATUS_PARM_INVALID;
+  }
+
   memset(&(avrc_rsp.reg_notif), 0, sizeof(tAVRC_REG_NOTIF_RSP));
 
   avrc_rsp.reg_notif.event_id = event_id;

diff --git a/stack/a2dp/a2dp_sbc.cc b/stack/a2dp/a2dp_sbc.cc
index 388419b..d44cf12 100644
--- a/stack/a2dp/a2dp_sbc.cc
+++ b/stack/a2dp/a2dp_sbc.cc

@@ -708,6 +708,11 @@
                               BT_HDR* p_buf, uint16_t frames_per_packet) {
   uint8_t* p;
 
+  // there is a timestamp right following p_buf
+  if (p_buf->offset < 4 + A2DP_SBC_MPL_HDR_LEN) {
+    return false;
+  }
+
   p_buf->offset -= A2DP_SBC_MPL_HDR_LEN;
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   p_buf->len += A2DP_SBC_MPL_HDR_LEN;

diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index ff9ade2..f2de4ba 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc

@@ -258,8 +258,8 @@
     p += ex_len * 4;
   }
 
-  if ((p - p_start) > len) {
-    android_errorWriteLog(0x534e4554, "142546355");
+  if ((p - p_start) >= len) {
+    AVDT_TRACE_WARNING("%s: handling malformatted packet: ex_len too large", __func__);
     osi_free_and_reset((void**)&p_data->p_pkt);
     return;
   }
@@ -268,11 +268,11 @@
   /* adjust length for any padding at end of packet */
   if (o_p) {
     /* padding length in last byte of packet */
-    pad_len = *(p_start + len);
+    pad_len = *(p_start + len - 1);
   }
 
   /* do sanity check */
-  if (pad_len > (len - offset)) {
+  if (pad_len >= (len - offset)) {
     AVDT_TRACE_WARNING("Got bad media packet");
     osi_free_and_reset((void**)&p_data->p_pkt);
   }
@@ -982,6 +982,11 @@
 
   /* Build a media packet, and add an RTP header if required. */
   if (add_rtp_header) {
+    if (p_data->apiwrite.p_buf->offset < AVDT_MEDIA_HDR_SIZE) {
+      android_errorWriteWithInfoLog(0x534e4554, "242535997", -1, NULL, 0);
+      return;
+    }
+
     ssrc = avdt_scb_gen_ssrc(p_scb);
 
     p_data->apiwrite.p_buf->len += AVDT_MEDIA_HDR_SIZE;

diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 842cb6c..ff1e5af 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc

@@ -572,7 +572,8 @@
   LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
                              gatt_dbg_op_name(op_code), len);
 
-  if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
+  if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
+      len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
     LOG(ERROR) << "illegal prepare write response length, discard";
     gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
     return;
@@ -581,7 +582,7 @@
   STREAM_TO_UINT16(value.handle, p);
   STREAM_TO_UINT16(value.offset, p);
 
-  value.len = len - 4;
+  value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
 
   memcpy(value.value, p, value.len);
 

diff --git a/stack/sdp/sdp_db.cc b/stack/sdp/sdp_db.cc
index 2cc04b0..dd06230 100644
--- a/stack/sdp/sdp_db.cc
+++ b/stack/sdp/sdp_db.cc

@@ -357,6 +357,11 @@
   uint16_t xx, yy, zz;
   tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];
 
+  if (p_val == nullptr) {
+    SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
+    return (false);
+  }
+
   if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
     if ((attr_type == UINT_DESC_TYPE) ||
         (attr_type == TWO_COMP_INT_DESC_TYPE) ||
@@ -393,6 +398,13 @@
     if (p_rec->record_handle == handle) {
       tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];
 
+      // error out early, no need to look up
+      if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
+        SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
+                        "full, skip adding the attribute", handle);
+        return (false);
+      }
+
       /* Found the record. Now, see if the attribute already exists */
       for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
         /* The attribute exists. replace it */
@@ -432,15 +444,13 @@
           attr_len = 0;
       }
 
-      if ((attr_len > 0) && (p_val != 0)) {
+      if (attr_len > 0) {
         p_attr->len = attr_len;
         memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
         p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
         p_rec->free_pad_ptr += attr_len;
-      } else if ((attr_len == 0 &&
-                  p_attr->len !=
-                      0) || /* if truncate to 0 length, simply don't add */
-                 p_val == 0) {
+      } else if (attr_len == 0 && p_attr->len != 0) {
+        /* if truncate to 0 length, simply don't add */
         SDP_TRACE_ERROR(
             "SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
             attr_id, attr_len);