system/bt
| 修订版 | 70b6fc4e67b4163130985808b062a749eb2cd644 (tree) |
|---|---|
| 时间 | 2018-11-27 02:19:49 |
| 作者 | Myles Watson <mylesgw@goog...> |
| Commiter | android-build-team Robot |
DO NOT MERGE: SDP: Check p_end in save_attr_seq and add_attr
Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit 2aad270709f01481e91f7fdaafbebee49130cd28)
stack/sdp/sdp_discovery.cc (diff)| @@ -53,7 +53,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
| 53 | 53 | static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end); |
| 54 | 54 | static tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, |
| 55 | 55 | const RawAddress& p_bda); |
| 56 | -static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | |
| 56 | +static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db, | |
| 57 | 57 | tSDP_DISC_REC* p_rec, uint16_t attr_id, |
| 58 | 58 | tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level); |
| 59 | 59 |
| @@ -767,7 +767,7 @@ static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end) { | ||
| 767 | 767 | BE_STREAM_TO_UINT16(attr_id, p); |
| 768 | 768 | |
| 769 | 769 | /* Now, add the attribute value */ |
| 770 | - p = add_attr(p, p_ccb->p_db, p_rec, attr_id, NULL, 0); | |
| 770 | + p = add_attr(p, p_seq_end, p_ccb->p_db, p_rec, attr_id, NULL, 0); | |
| 771 | 771 | |
| 772 | 772 | if (!p) { |
| 773 | 773 | SDP_TRACE_WARNING("SDP - DB full add_attr"); |
| @@ -827,7 +827,7 @@ tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& p_bda) { | ||
| 827 | 827 | * Returns pointer to next byte in data stream |
| 828 | 828 | * |
| 829 | 829 | ******************************************************************************/ |
| 830 | -static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | |
| 830 | +static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db, | |
| 831 | 831 | tSDP_DISC_REC* p_rec, uint16_t attr_id, |
| 832 | 832 | tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level) { |
| 833 | 833 | tSDP_DISC_ATTR* p_attr; |
| @@ -836,7 +836,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 836 | 836 | uint16_t attr_type; |
| 837 | 837 | uint16_t id; |
| 838 | 838 | uint8_t type; |
| 839 | - uint8_t* p_end; | |
| 839 | + uint8_t* p_attr_end; | |
| 840 | 840 | uint8_t is_additional_list = nest_level & SDP_ADDITIONAL_LIST_MASK; |
| 841 | 841 | |
| 842 | 842 | nest_level &= ~(SDP_ADDITIONAL_LIST_MASK); |
| @@ -853,6 +853,13 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 853 | 853 | else |
| 854 | 854 | total_len = sizeof(tSDP_DISC_ATTR); |
| 855 | 855 | |
| 856 | + p_attr_end = p + attr_len; | |
| 857 | + if (p_attr_end > p_end) { | |
| 858 | + android_errorWriteLog(0x534e4554, "115900043"); | |
| 859 | + SDP_TRACE_WARNING("%s: SDP - Attribute length beyond p_end", __func__); | |
| 860 | + return NULL; | |
| 861 | + } | |
| 862 | + | |
| 856 | 863 | /* Ensure it is a multiple of 4 */ |
| 857 | 864 | total_len = (total_len + 3) & ~3; |
| 858 | 865 |
| @@ -876,18 +883,17 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 876 | 883 | * sub-attributes */ |
| 877 | 884 | p_db->p_free_mem += sizeof(tSDP_DISC_ATTR); |
| 878 | 885 | p_db->mem_free -= sizeof(tSDP_DISC_ATTR); |
| 879 | - p_end = p + attr_len; | |
| 880 | 886 | total_len = 0; |
| 881 | 887 | |
| 882 | 888 | /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d(list)", nest_level); */ |
| 883 | 889 | if (nest_level >= MAX_NEST_LEVELS) { |
| 884 | 890 | SDP_TRACE_ERROR("SDP - attr nesting too deep"); |
| 885 | - return (p_end); | |
| 891 | + return p_attr_end; | |
| 886 | 892 | } |
| 887 | 893 | |
| 888 | 894 | /* Now, add the list entry */ |
| 889 | - p = add_attr(p, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, p_attr, | |
| 890 | - (uint8_t)(nest_level + 1)); | |
| 895 | + p = add_attr(p, p_end, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, | |
| 896 | + p_attr, (uint8_t)(nest_level + 1)); | |
| 891 | 897 | |
| 892 | 898 | break; |
| 893 | 899 | } |
| @@ -946,7 +952,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 946 | 952 | break; |
| 947 | 953 | default: |
| 948 | 954 | SDP_TRACE_WARNING("SDP - bad len in UUID attr: %d", attr_len); |
| 949 | - return (p + attr_len); | |
| 955 | + return p_attr_end; | |
| 950 | 956 | } |
| 951 | 957 | break; |
| 952 | 958 |
| @@ -956,22 +962,22 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 956 | 962 | * sub-attributes */ |
| 957 | 963 | p_db->p_free_mem += sizeof(tSDP_DISC_ATTR); |
| 958 | 964 | p_db->mem_free -= sizeof(tSDP_DISC_ATTR); |
| 959 | - p_end = p + attr_len; | |
| 960 | 965 | total_len = 0; |
| 961 | 966 | |
| 962 | 967 | /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d", nest_level); */ |
| 963 | 968 | if (nest_level >= MAX_NEST_LEVELS) { |
| 964 | 969 | SDP_TRACE_ERROR("SDP - attr nesting too deep"); |
| 965 | - return (p_end); | |
| 970 | + return p_attr_end; | |
| 966 | 971 | } |
| 967 | 972 | if (is_additional_list != 0 || |
| 968 | 973 | attr_id == ATTR_ID_ADDITION_PROTO_DESC_LISTS) |
| 969 | 974 | nest_level |= SDP_ADDITIONAL_LIST_MASK; |
| 970 | 975 | /* SDP_TRACE_DEBUG ("SDP - attr nest level:0x%x(finish)", nest_level); */ |
| 971 | 976 | |
| 972 | - while (p < p_end) { | |
| 977 | + while (p < p_attr_end) { | |
| 973 | 978 | /* Now, add the list entry */ |
| 974 | - p = add_attr(p, p_db, p_rec, 0, p_attr, (uint8_t)(nest_level + 1)); | |
| 979 | + p = add_attr(p, p_end, p_db, p_rec, 0, p_attr, | |
| 980 | + (uint8_t)(nest_level + 1)); | |
| 975 | 981 | |
| 976 | 982 | if (!p) return (NULL); |
| 977 | 983 | } |
| @@ -989,7 +995,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db, | ||
| 989 | 995 | break; |
| 990 | 996 | default: |
| 991 | 997 | SDP_TRACE_WARNING("SDP - bad len in boolean attr: %d", attr_len); |
| 992 | - return (p + attr_len); | |
| 998 | + return p_attr_end; | |
| 993 | 999 | } |
| 994 | 1000 | break; |
| 995 | 1001 |
Fork