OSDN -- 开发和下载开源软件
简体中文翻译状态 translation status for zh
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

提交

标签
No Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

修订版e7e90a7d032db429ccfb80a7c046d6128162e326 (tree)
时间2018-09-08 02:30:18
作者Pavlin Radoslavov <pavlin@goog...>
CommiterRyan Longair

Log Message

DO NOT MERGE - Check data length when parsing AVRCP vendor specific command responses

Bug: 111450531
Bug: 111896861
Test: PoC test program
Change-Id: I564bee8f05efabc29383659a75e695b4da76c6aa
(cherry picked from commit 7439ea940354f65a147c4ecfce3bada49c688047)
(cherry picked from commit 8148397ca29a4795dffdd6daadc33af43aa9694f)

更改概述

差异

--- a/stack/avrc/avrc_pars_ct.c
+++ b/stack/avrc/avrc_pars_ct.c
@@ -56,14 +56,34 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p
5656 if (p_msg->p_vendor_data == NULL)
5757 return AVRC_STS_INTERNAL_ERR;
5858
59+ if (p_msg->vendor_len < 4) {
60+ android_errorWriteLog(0x534e4554, "111450531");
61+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least 4",
62+ __func__, p_msg->vendor_len);
63+ return AVRC_STS_INTERNAL_ERR;
64+ }
5965 p = p_msg->p_vendor_data;
6066 BE_STREAM_TO_UINT8 (p_result->pdu, p);
6167 p++; /* skip the reserved/packe_type byte */
6268 BE_STREAM_TO_UINT16 (len, p);
63- AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x",
64- __func__, p_msg->hdr.ctype, p_result->pdu, len, len);
69+ AVRC_TRACE_DEBUG("%s ctype:0x%x pdu:0x%x, len:%d/0x%x vendor_len=0x%x",
70+ __func__, p_msg->hdr.ctype, p_result->pdu, len, len,
71+ p_msg->vendor_len);
72+ if (p_msg->vendor_len < len + 4) {
73+ android_errorWriteLog(0x534e4554, "111450531");
74+ AVRC_TRACE_WARNING("%s: message length %d too short: must be at least %d",
75+ __func__, p_msg->vendor_len, len + 4);
76+ return AVRC_STS_INTERNAL_ERR;
77+ }
78+
6579 if (p_msg->hdr.ctype == AVRC_RSP_REJ)
6680 {
81+ if (len < 1) {
82+ android_errorWriteLog(0x534e4554, "111450531");
83+ AVRC_TRACE_WARNING("%s: invalid parameter length %d: must be at least 1",
84+ __func__, len);
85+ return AVRC_STS_INTERNAL_ERR;
86+ }
6787 p_result->rsp.status = *p;
6888 return p_result->rsp.status;
6989 }
@@ -86,11 +106,25 @@ static tAVRC_STS avrc_pars_vendor_rsp(tAVRC_MSG_VENDOR *p_msg, tAVRC_RESPONSE *p
86106
87107 case AVRC_PDU_REGISTER_NOTIFICATION: /* 0x31 */
88108 #if (AVRC_ADV_CTRL_INCLUDED == TRUE)
109+ if (len < 1) {
110+ android_errorWriteLog(0x534e4554, "111450531");
111+ AVRC_TRACE_WARNING(
112+ "%s: invalid parameter length %d: must be at least 1", __func__,
113+ len);
114+ return AVRC_STS_INTERNAL_ERR;
115+ }
89116 BE_STREAM_TO_UINT8 (eventid, p);
90117 if(AVRC_EVT_VOLUME_CHANGE==eventid
91118 && (AVRC_RSP_CHANGED==p_msg->hdr.ctype || AVRC_RSP_INTERIM==p_msg->hdr.ctype
92119 || AVRC_RSP_REJ==p_msg->hdr.ctype || AVRC_RSP_NOT_IMPL==p_msg->hdr.ctype))
93120 {
121+ if (len < 2) {
122+ android_errorWriteLog(0x534e4554, "111450531");
123+ AVRC_TRACE_WARNING(
124+ "%s: invalid parameter length %d: must be at least 2", __func__,
125+ len);
126+ return AVRC_STS_INTERNAL_ERR;
127+ }
94128 p_result->reg_notif.status=p_msg->hdr.ctype;
95129 p_result->reg_notif.event_id=eventid;
96130 BE_STREAM_TO_UINT8 (p_result->reg_notif.param.volume, p);