espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-04 02:50:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed potential OOB in Bluedroid

Browse Source
This commit is contained in:
JinCheng
2025-09-15 12:11:24 +08:00
committed by BOT
parent 392226b37f
commit 075ed218ca
14 changed files with 279 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
components/bt/host/bluedroid/stack/rfcomm/rfc_ts_frames.c
View File

@@ -646,7 +646,17 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
return (RFC_EVENT_BAD_FRAME);
}
RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
eal = *(p_data) & RFCOMM_EA;
len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
if (eal == 0) {
if (p_buf->len > RFCOMM_CTRL_FRAME_LEN) {
len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
} else {
RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
return RFC_EVENT_BAD_FRAME;
}
}
p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
p_buf->offset += (3 + !ead + !eal);
@@ -670,7 +680,7 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
/* All control frames that we are sending are sent with P=1, expect */
/* reply with F=1 */
/* According to TS 07.10 spec ivalid frames are discarded without */
/* According to TS 07.10 spec invalid frames are discarded without */
/* notification to the sender */
switch (p_frame->type) {
case RFCOMM_SABME:
@@ -749,6 +759,12 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
UINT8 ea, cr, mx_len;
BOOLEAN is_command;
if (length < 2) {
RFCOMM_TRACE_ERROR("Illegal MX Frame len:%d < 2", length);
osi_free(p_buf);
return;
}
p_rx_frame->ea = *p_data & RFCOMM_EA;
p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
@@ -769,6 +785,11 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
length--;
if (!ea) {
if (length < 1) {
RFCOMM_TRACE_ERROR("Illegal MX Frame len:%d < 1 when ea = 0", length);
osi_free(p_buf);
return;
}
mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
length --;
}
@@ -847,6 +868,12 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
return;
case RFCOMM_MX_MSC:
if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
RFCOMM_TRACE_ERROR("Illegal MX MSC Frame len:%d", length);
osi_free(p_buf);
return;
}
ea = *p_data & RFCOMM_EA;
cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;