From 84e6c4d23f632bdffd018bfab5fba5a9cfc035d4 Mon Sep 17 00:00:00 2001 From: Milanka Ringwald Date: Mon, 17 Feb 2025 18:39:11 +0100 Subject: [PATCH] avdtp_util: validate configuration bitmaps --- src/classic/avdtp_util.c | 47 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/classic/avdtp_util.c b/src/classic/avdtp_util.c index 973f63f98..938f06825 100644 --- a/src/classic/avdtp_util.c +++ b/src/classic/avdtp_util.c @@ -1032,6 +1032,19 @@ avdtp_signaling_setup_media_codec_sbc_config_event(uint8_t *event, uint16_t size uint8_t block_length_bitmap = media_codec_information[1] >> 4; uint8_t subbands_bitmap = (media_codec_information[1] & 0x0F) >> 2; + if (count_set_bits_uint32(sampling_frequency_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SAMPLING_FREQUENCY; + } + if (count_set_bits_uint32(channel_mode_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_CHANNEL_MODE; + } + if (count_set_bits_uint32(block_length_bitmap) != 1) { + return CODEC_SPECIFIC_ERROR_CODE_INVALID_BLOCK_LENGTH; + } + if (count_set_bits_uint32(subbands_bitmap) != 1) { + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SUBBANDS; + } + uint8_t num_channels = 0; avdtp_channel_mode_t channel_mode; @@ -1126,6 +1139,13 @@ avdtp_signaling_setup_media_codec_mpeg_audio_config_event(uint8_t *event, uint16 uint8_t vbr = (media_codec_information[2] >> 7) & 0x01; uint16_t bit_rate_index_bitmap = ((media_codec_information[2] & 0x3f) << 8) | media_codec_information[3]; + if (count_set_bits_uint32(sampling_frequency_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SAMPLING_FREQUENCY; + } + if (count_set_bits_uint32(channel_mode_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_CHANNEL_MODE; + } + uint8_t layer = 0; if (layer_bitmap & 0x04){ layer = AVDTP_MPEG_LAYER_1; @@ -1220,6 +1240,16 @@ avdtp_signaling_setup_media_codec_mpec_aac_config_event(uint8_t *event, uint16_t uint8_t vbr = media_codec_information[3] >> 7; uint32_t bit_rate = ((media_codec_information[3] & 0x7f) << 16) | (media_codec_information[4] << 8) | media_codec_information[5]; + if (count_set_bits_uint32(object_type_bitmap) != 1) { + return CODEC_SPECIFIC_ERROR_CODE_INVALID_OBJECT_TYPE; + } + if (count_set_bits_uint32(sampling_frequency_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SAMPLING_FREQUENCY; + } + if (count_set_bits_uint32(channels_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_CHANNELS; + } + uint8_t object_type = 0; if (object_type_bitmap & 0x01){ object_type = AVDTP_AAC_MPEG4_HE_AAC_ELDv2; @@ -1300,6 +1330,16 @@ avdtp_signaling_setup_media_codec_mpegd_config_event(uint8_t *event, uint16_t si uint32_t bit_rate = ((media_codec_information[3] & 0x7f) << 16) | (media_codec_information[4] << 8) | media_codec_information[5]; + if (count_set_bits_uint32(object_type_bitmap) != 1) { + return CODEC_SPECIFIC_ERROR_CODE_INVALID_OBJECT_TYPE; + } + if (count_set_bits_uint32(sampling_frequency_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SAMPLING_FREQUENCY; + } + if (count_set_bits_uint32(channels_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_CHANNELS; + } + uint8_t object_type = 0; if (object_type_bitmap & 0x10){ object_type = AVDTP_USAC_OBJECT_TYPE_MPEG_D_DRC; @@ -1358,6 +1398,13 @@ static codec_specific_error_code_t avdtp_signaling_setup_media_codec_atrac_confi uint16_t bit_rate_index_bitmap = ((media_codec_information[1]) & 0x07) << 16 | (media_codec_information[2] << 8) | media_codec_information[3]; uint16_t maximum_sul = (media_codec_information[4] << 8) | media_codec_information[5]; + if (count_set_bits_uint32(channel_mode_bitmap) != 1) { + return CODEC_SPECIFIC_ERROR_CODE_INVALID_CHANNEL_MODE; + } + if (count_set_bits_uint32(sampling_frequency_bitmap) != 1){ + return CODEC_SPECIFIC_ERROR_CODE_INVALID_SAMPLING_FREQUENCY; + } + uint8_t num_channels = 0; avdtp_channel_mode_t channel_mode = AVDTP_CHANNEL_MODE_JOINT_STEREO; if (channel_mode_bitmap & 0x04){