commit | e0126c6e351a4cfe9bf7cc057fa2635d0de7c01b | [log] [tgz] |
---|---|---|
author | tyiu <tyiu@google.com> | Tue Mar 28 18:40:51 2023 +0000 |
committer | Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> | Thu Jul 27 18:06:16 2023 +0530 |
tree | fc86a7c7ca6a6671065b411687a1c4c982d79cfc | |
parent | b370c30382552a945adf66a9910e2b3bf3843487 [diff] |
Fix gatt_end_operation buffer overflow Added boundary check for gatt_end_operation to prevent writing out of boundary. Since response of the GATT server is handled in gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum lenth that can be passed into the handlers is bounded by GATT_MAX_MTU_SIZE, which is set to 517, which is greater than GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec that gaurentees MTU response to be less than or equal to 512 bytes can cause a buffer overflow when performing memcpy without length check. Bug: 261068592 Test: No test since not affecting behavior Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200) Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873 Change-Id: I8e0d72ac6379d7b48796668c1a8c072a452c88e0
Just build AOSP - Fluoride is there by default.
Instructions for Ubuntu, tested on 14.04 with Clang 3.5.0 and 16.10 with Clang 3.8.0
mkdir ~/fluoride cd ~/fluoride git clone https://android.googlesource.com/platform/system/bt
Install dependencies (require sudo access):
cd ~/fluoride/bt build/install_deps.sh
Then fetch third party dependencies:
cd ~/fluoride/bt mkdir third_party cd third_party git clone https://github.com/google/googletest.git git clone https://android.googlesource.com/platform/external/aac git clone https://android.googlesource.com/platform/external/libchrome git clone https://android.googlesource.com/platform/external/libldac git clone https://android.googlesource.com/platform/external/modp_b64 git clone https://android.googlesource.com/platform/external/tinyxml2
And third party dependencies of third party dependencies:
cd fluoride/bt/third_party/libchrome/base/third_party mkdir valgrind cd valgrind curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/valgrind.h?format=TEXT | base64 -d > valgrind.h curl https://chromium.googlesource.com/chromium/src/base/+/master/third_party/valgrind/memcheck.h?format=TEXT | base64 -d > memcheck.h
NOTE: If system/bt is checked out under AOSP, then create symbolic links instead of downloading sources
cd system/bt mkdir third_party cd third_party ln -s ../../../external/aac aac ln -s ../../../external/libchrome libchrome ln -s ../../../external/libldac libldac ln -s ../../../external/modp_b64 modp_b64 ln -s ../../../external/tinyxml2 tinyxml2 ln -s ../../../external/googletest googletest
cd ~/fluoride/bt gn gen out/Default
cd ~/fluoride/bt ninja -C out/Default all
This will build all targets (the shared library, executables, tests, etc) and put them in out/Default. To build an individual target, replace "all" with the target of your choice, e.g. ninja -C out/Default net_test_osi
.
cd ~/fluoride/bt/out/Default LD_LIBRARY_PATH=./ ./bluetoothtbd -create-ipc-socket=fluoride
Follows the Chromium project Eclipse Setup Instructions until "Optional: Building inside Eclipse" section (don't do that section, we will set it up differently)
Generate Eclipse settings:
cd system/bt gn gen --ide=eclipse out/Default
In Eclipse, do File->Import->C/C++->C/C++ Project Settings, choose the XML location under system/bt/out/Default
Right click on the project. Go to Preferences->C/C++ Build->Builder Settings. Uncheck "Use default build command", but instead using "ninja -C out/Default"
Goto Behaviour tab, change clean command to "-t clean"