mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-04-16 08:42:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

add buffer overrun checks to ACL recombination

Browse Source
This commit is contained in:
matthias.ringwald@gmail.com 2014-11-20 15:11:50 +00:00
parent c4a802709c
commit 0ca847af67
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/hci.c
View File

@ -567,12 +567,18 @@ static void acl_handler(uint8_t *packet, int size){
case 0x01: // continuation fragment case 0x01: // continuation fragment
// sanity check // sanity checks
if (conn->acl_recombination_pos == 0) { if (conn->acl_recombination_pos == 0) {
log_error( "ACL Cont Fragment but no first fragment for handle 0x%02x", con_handle); log_error( "ACL Cont Fragment but no first fragment for handle 0x%02x", con_handle);
return; return;
} }
if (conn->acl_recombination_pos + acl_length > 4 + HCI_ACL_BUFFER_SIZE){
log_error( "ACL Cont Fragment to large: combined packet %u > buffer size %u for handle 0x%02x",
conn->acl_recombination_pos + acl_length, 4 + HCI_ACL_BUFFER_SIZE, con_handle);
conn->acl_recombination_pos = 0;
return;
}
// append fragment payload (header already stored) // append fragment payload (header already stored)
memcpy(&conn->acl_recombination_buffer[HCI_INCOMING_PRE_BUFFER_SIZE + conn->acl_recombination_pos], &packet[4], acl_length ); memcpy(&conn->acl_recombination_buffer[HCI_INCOMING_PRE_BUFFER_SIZE + conn->acl_recombination_pos], &packet[4], acl_length );
conn->acl_recombination_pos += acl_length; conn->acl_recombination_pos += acl_length;
@ -592,12 +598,6 @@ static void acl_handler(uint8_t *packet, int size){
case 0x02: { // first fragment case 0x02: { // first fragment
// sanity check
if (conn->acl_recombination_pos) {
log_error( "ACL First Fragment but data in buffer for handle 0x%02x", con_handle);
return;
}
// peek into L2CAP packet! // peek into L2CAP packet!
uint16_t l2cap_length = READ_L2CAP_LENGTH( packet ); uint16_t l2cap_length = READ_L2CAP_LENGTH( packet );
@ -610,6 +610,18 @@ static void acl_handler(uint8_t *packet, int size){
hci_stack->packet_handler(HCI_ACL_DATA_PACKET, packet, acl_length + 4); hci_stack->packet_handler(HCI_ACL_DATA_PACKET, packet, acl_length + 4);
} else { } else {
// sanity check
if (conn->acl_recombination_pos) {
log_error( "ACL First Fragment but data in buffer for handle 0x%02x", con_handle);
return;
}
if (acl_length > HCI_ACL_BUFFER_SIZE){
log_error( "ACL First Fragment to large: fragment %u > buffer size %u for handle 0x%02x",
4 + acl_length, 4 + HCI_ACL_BUFFER_SIZE, con_handle);
return;
}
// store first fragment and tweak acl length for complete package // store first fragment and tweak acl length for complete package
memcpy(&conn->acl_recombination_buffer[HCI_INCOMING_PRE_BUFFER_SIZE], packet, acl_length + 4); memcpy(&conn->acl_recombination_buffer[HCI_INCOMING_PRE_BUFFER_SIZE], packet, acl_length + 4);
conn->acl_recombination_pos = acl_length + 4; conn->acl_recombination_pos = acl_length + 4;