Commit edcf32db authored by Chienyuan's avatar Chienyuan Committed by Gerrit - the friendly Code Review server
Browse files

Fix OOB in BNEP_Write

Bug: 112050583
Test: PoC
Change-Id: I2ad3aceea38950b83f98819ede47538afb053ac0
(cherry picked from commit b31554e2)
CRs-Fixed: 3155069
parent 6c4cddcd
......@@ -349,10 +349,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
p_bcb = &(bnep_cb.bcb[handle - 1]);
/* Check MTU size */
if (p_buf->len > BNEP_MTU_SIZE) {
BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len,
BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len,
BNEP_MTU_SIZE);
osi_free(p_buf);
return (BNEP_MTU_EXCEDED);
} else if (p_buf->len < 2) {
BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
p_buf->len);
osi_free(p_buf);
return BNEP_IGNORE_CMD;
}
/* Check if the packet should be filtered out */
......@@ -449,9 +454,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
/* Check MTU size. Consider the possibility of having extension headers */
if (len > BNEP_MTU_SIZE) {
BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len,
BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len,
BNEP_MTU_SIZE);
return (BNEP_MTU_EXCEDED);
} else if (len < 2) {
BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
len);
return BNEP_IGNORE_CMD;
}
if ((!handle) || (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment