michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: AVRCP: add buffer length protections.

Browse source 
Add sanity checks for AVRCP responses received.

Signed-off-by: Zihao Gao <gaozihao@xiaomi.com>
This commit is contained in:
Zihao Gao 2024-11-25 14:56:40 +08:00 committed by Benjamin Cabé
commit 4557b2f06c
1 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
subsys/bluetooth/host/classic/avrcp.c
View file

@ -259,6 +259,10 @@ static void avrcp_unit_info_handler(struct bt_avrcp *avrcp, struct net_buf *buf,
} else { /* BT_AVCTP_RESPONSE */ } else { /* BT_AVCTP_RESPONSE */
if ((avrcp_cb != NULL) && (avrcp_cb->unit_info_rsp != NULL)) { if ((avrcp_cb != NULL) && (avrcp_cb->unit_info_rsp != NULL)) {
net_buf_pull(buf, sizeof(*avrcp_hdr)); net_buf_pull(buf, sizeof(*avrcp_hdr));
if (buf->len != 5) {
LOG_ERR("Invalid unit info length");
return;
}
net_buf_pull_u8(buf); /* Always 0x07 */ net_buf_pull_u8(buf); /* Always 0x07 */
rsp.unit_type = FIELD_GET(GENMASK(7, 3), net_buf_pull_u8(buf)); rsp.unit_type = FIELD_GET(GENMASK(7, 3), net_buf_pull_u8(buf));
rsp.company_id = net_buf_pull_be24(buf); rsp.company_id = net_buf_pull_be24(buf);
@ -279,6 +283,10 @@ static void avrcp_subunit_info_handler(struct bt_avrcp *avrcp, struct net_buf *b
} else { /* BT_AVCTP_RESPONSE */ } else { /* BT_AVCTP_RESPONSE */
if ((avrcp_cb != NULL) && (avrcp_cb->subunit_info_rsp != NULL)) { if ((avrcp_cb != NULL) && (avrcp_cb->subunit_info_rsp != NULL)) {
net_buf_pull(buf, sizeof(*avrcp_hdr)); net_buf_pull(buf, sizeof(*avrcp_hdr));
if (buf->len < 5) {
LOG_ERR("Invalid subunit info length");
return;
}
net_buf_pull_u8(buf); /* Always 0x07 */ net_buf_pull_u8(buf); /* Always 0x07 */
tmp = net_buf_pull_u8(buf); tmp = net_buf_pull_u8(buf);
rsp.subunit_type = FIELD_GET(GENMASK(7, 3), tmp); rsp.subunit_type = FIELD_GET(GENMASK(7, 3), tmp);
@ -321,8 +329,12 @@ static int avrcp_recv(struct bt_avctp *session, struct net_buf *buf)
avctp_hdr = (void *)buf->data; avctp_hdr = (void *)buf->data;
net_buf_pull(buf, sizeof(*avctp_hdr)); net_buf_pull(buf, sizeof(*avctp_hdr));
avrcp_hdr = (void *)buf->data; if (buf->len < sizeof(*avrcp_hdr)) {
LOG_ERR("invalid AVRCP header received");
return -EINVAL;
}
avrcp_hdr = (void *)buf->data;
tid = BT_AVCTP_HDR_GET_TRANSACTION_LABLE(avctp_hdr); tid = BT_AVCTP_HDR_GET_TRANSACTION_LABLE(avctp_hdr);
cr = BT_AVCTP_HDR_GET_CR(avctp_hdr); cr = BT_AVCTP_HDR_GET_CR(avctp_hdr);
ctype = BT_AVRCP_HDR_GET_CTYPE(avrcp_hdr); ctype = BT_AVRCP_HDR_GET_CTYPE(avrcp_hdr);