Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_vendor_qcom_opensource_fm-commonsys / 17080a4e0c49bf8ac354113f2974b866d6a24bd0^! / .
commit17080a4e0c49bf8ac354113f2974b866d6a24bd0[log] [tgz]
authorsarvsaur <quic_sarvsaur@quicinc.com>Wed Apr 10 11:20:49 2024 +0530
committerSarv Saurav <quic_sarvsaur@quicinc.com>Fri Apr 26 01:20:39 2024 -0700
tree4e43102e98d968fcf9252895974db511d8dd5c16
parenta39de114f0ce6d73ed1e84582c0f66b227fb9d6e [diff]
FM: OOB Write & Read Fix

Out of Buffer Write and Read fixes for FM

Change-Id: I9b8e6158d51ca14fb24dfd002ccf0e15a0247df7

diff --git a/helium/radio-helium.h b/helium/radio-helium.h
index d3dae68..4de9213 100644
--- a/helium/radio-helium.h
+++ b/helium/radio-helium.h

@@ -619,7 +619,7 @@
 struct hci_ev_af_list {
     int   tune_freq;
     short   pi_code;
-    char    af_size;
+    uint8_t af_size;
     char    af_list[FM_AF_LIST_MAX_SIZE];
 } __attribute__((packed)) ;
 
@@ -693,7 +693,7 @@
 } __attribute__((packed));
 
 struct hci_fm_data_rd_rsp {
-    char    data_len;
+    uint8_t data_len;
     char    data[DEFAULT_DATA_SIZE];
 } ;
 
@@ -755,6 +755,8 @@
 #define AF_SIZE_OFFSET 6
 #define AF_LIST_OFFSET 7
 #define RT_A_B_FLAG_OFFSET 4
+#define RDS_PS_NUMBER_MIN 1
+#define RDS_PS_NUMBER_MAX 12
 /*FM states*/
 
 enum radio_state_t {

diff --git a/helium/radio_helium_hal.c b/helium/radio_helium_hal.c
index e258bff..2289d3e 100644
--- a/helium/radio_helium_hal.c
+++ b/helium/radio_helium_hal.c

@@ -279,9 +279,10 @@
     hal->jni_cb->fm_get_sig_thres_cb(val, status);
 }
 
-static void hci_cc_default_data_read_rsp(char *ev_buff)
+static void hci_cc_default_data_read_rsp(uint8_t ev_buff[])
 {
-    int status, val= 0, data_len = 0;
+    int status, val= 0;
+    uint8_t data_len = 0;
 
     if (ev_buff == NULL) {
         ALOGE("Response buffer is null");
@@ -291,7 +292,7 @@
     if (status == 0) {
         data_len = ev_buff[1];
         ALOGV("hci_cc_default_data_read_rsp:data_len = %d", data_len);
-        memcpy(&hal->radio->def_data, &ev_buff[1], data_len + sizeof(char));
+        memcpy(&hal->radio->def_data, &ev_buff[1], data_len + sizeof(uint8_t));
 
         if (test_bit(def_data_rd_mask_flag, CMD_DEFRD_AF_RMSSI_TH)) {
             val = hal->radio->def_data.data[AF_RMSSI_TH_OFFSET];
@@ -528,7 +529,7 @@
             hci_cc_sig_threshold_rsp(pbuf);
             break;
     case hci_common_cmd_op_pack(HCI_OCF_FM_DEFAULT_DATA_READ):
-            hci_cc_default_data_read_rsp(pbuf);
+            hci_cc_default_data_read_rsp(&buff[3]);
             break;
     case hci_common_cmd_op_pack(HCI_OCF_FM_DEFAULT_DATA_WRITE):
             hci_cc_default_data_write_rsp(pbuf);
@@ -670,6 +671,15 @@
     int len;
     char *data;
 
+    if (buff == NULL) {
+        ALOGE("%s:%s, buffer is null\n", LOG_TAG,__func__);
+        return;
+    }
+    if (buff[RDS_PS_LENGTH_OFFSET] < RDS_PS_NUMBER_MIN ||
+        buff[RDS_PS_LENGTH_OFFSET] > RDS_PS_NUMBER_MAX) {
+        ALOGE("%s:Invalid PS strings number", LOG_TAG);
+        return;
+    }
     len = (buff[RDS_PS_LENGTH_OFFSET] * RDS_STRING) + RDS_OFFSET;
     data = malloc(len);
     if (!data) {