From e8b810686622a889ed36f6a5e2349426a6e4590e Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Mon, 23 Jul 2018 14:19:33 +0200 Subject: [PATCH] hci_transport_h4, hci_transport_em9304_spi.c: add checks for Event + SCO packet lengths --- src/hci_transport_em9304_spi.c | 8 +++++++- src/hci_transport_h4.c | 14 +++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/hci_transport_em9304_spi.c b/src/hci_transport_em9304_spi.c index 9a427fa6b..cc57586d0 100644 --- a/src/hci_transport_em9304_spi.c +++ b/src/hci_transport_em9304_spi.c @@ -437,6 +437,12 @@ static void hci_transport_em9304_spi_block_read(void){ case H4_W4_EVENT_HEADER: hci_transport_em9304_spi_bytes_to_read = hci_packet[2]; + // check ACL length + if (HCI_EVENT_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + log_error("invalid Event len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE); + hci_transport_em9304_spi_reset_statemachine(); + break; + } hci_transport_em9304_h4_state = H4_W4_PAYLOAD; break; @@ -446,7 +452,7 @@ static void hci_transport_em9304_spi_block_read(void){ if (HCI_ACL_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ log_error("invalid ACL payload len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE); hci_transport_em9304_spi_reset_statemachine(); - break; + break; } hci_transport_em9304_h4_state = H4_W4_PAYLOAD; break; diff --git a/src/hci_transport_h4.c b/src/hci_transport_h4.c index ac8af3547..e96f077cd 100644 --- a/src/hci_transport_h4.c +++ b/src/hci_transport_h4.c @@ -211,6 +211,12 @@ static void hci_transport_h4_block_read(void){ case H4_W4_EVENT_HEADER: bytes_to_read = hci_packet[2]; + // check Event length + if (HCI_EVENT_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + log_error("hci_transport_h4: invalid Event len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE); + hci_transport_h4_reset_statemachine(); + break; + } h4_state = H4_W4_PAYLOAD; break; @@ -220,13 +226,19 @@ static void hci_transport_h4_block_read(void){ if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ log_error("hci_transport_h4: invalid ACL payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE); hci_transport_h4_reset_statemachine(); - break; + break; } h4_state = H4_W4_PAYLOAD; break; case H4_W4_SCO_HEADER: bytes_to_read = hci_packet[3]; + // check SCO length + if (HCI_SCO_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + log_error("hci_transport_h4: invalid SCO payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE); + hci_transport_h4_reset_statemachine(); + break; + } h4_state = H4_W4_PAYLOAD; break;