diff options
| author | 2018-07-12 21:19:10 -0700 | |
|---|---|---|
| committer | 2018-07-12 21:19:10 -0700 | |
| commit | 87cd4255fcb3e2a89f39d37e18f242f628d4a2eb (patch) | |
| tree | 2ca1d8e20f0e15a7891e076872abd57704a478f2 | |
| parent | 897f6c50c94705800b1b4654eb869b761fae0558 (diff) | |
| parent | feb094e42779891128c36d5c6883cbfb4098b26e (diff) | |
Merge "Add bound check for rfc_parse_data" into oc-dev am: 0596fc6764 am: 5b731adc56
am: feb094e427
Change-Id: I571e6531ff65aaf23629c2204c96f9ac3cc4acd1
| -rw-r--r-- | system/stack/include/rfcdefs.h | 7 | ||||
| -rw-r--r-- | system/stack/rfcomm/rfc_ts_frames.cc | 12 |
2 files changed, 11 insertions, 8 deletions
diff --git a/system/stack/include/rfcdefs.h b/system/stack/include/rfcdefs.h index aba555d852..ca9b3ce520 100644 --- a/system/stack/include/rfcdefs.h +++ b/system/stack/include/rfcdefs.h @@ -89,13 +89,6 @@ (pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \ } -#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data) \ - { \ - (ea) = (*(p_data)&RFCOMM_EA); \ - (length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1); \ - if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \ - } - #define RFCOMM_FRAME_IS_CMD(initiator, cr) \ (((initiator) && !(cr)) || (!(initiator) && (cr))) diff --git a/system/stack/rfcomm/rfc_ts_frames.cc b/system/stack/rfcomm/rfc_ts_frames.cc index 0c8ce09f68..b810a3f766 100644 --- a/system/stack/rfcomm/rfc_ts_frames.cc +++ b/system/stack/rfcomm/rfc_ts_frames.cc @@ -26,6 +26,7 @@ #include "bt_common.h" #include "bt_target.h" #include "l2c_api.h" +#include "log/log.h" #include "port_api.h" #include "port_int.h" #include "rfc_int.h" @@ -516,7 +517,16 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) { return (RFC_EVENT_BAD_FRAME); } RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data); - RFCOMM_PARSE_LEN_FIELD(eal, len, p_data); + + eal = *(p_data)&RFCOMM_EA; + len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1; + if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) { + len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); + } else if (eal == 0) { + RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len); + android_errorWriteLog(0x534e4554, "78288018"); + return RFC_EVENT_BAD_FRAME; + } p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */ p_buf->offset += (3 + !ead + !eal); |