mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-04-09 21:45:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

avrcp_target: check expected and actual packet size upfront, check expected data size

Browse Source
This commit is contained in:
Milanka Ringwald 2025-01-24 10:29:39 +01:00
parent a391ea89e1
commit fa94f75dc6
1 changed files with 20 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/classic/avrcp_target.c
View File

@ -1126,10 +1126,15 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
length = big_endian_read_16(packet, pos); length = big_endian_read_16(packet, pos);
pos += 2; pos += 2;
// pos = 13 // pos = 13
if ((pos + length) != size){
avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
return;
}
switch (pdu_id){ switch (pdu_id){
case AVRCP_PDU_ID_ADD_TO_NOW_PLAYING: case AVRCP_PDU_ID_ADD_TO_NOW_PLAYING:
if ( (pos + 11) > size){ if (length != 11){
avrcp_target_vendor_dependent_response_accept(connection, pdu_id, AVRCP_STATUS_INVALID_COMMAND); avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
return; return;
} }
@ -1146,8 +1151,8 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
break; break;
case AVRCP_PDU_ID_PLAY_ITEM: case AVRCP_PDU_ID_PLAY_ITEM:
if ( (pos + 11) > size){ if (length != 11){
avrcp_target_vendor_dependent_response_accept(connection, pdu_id, AVRCP_STATUS_INVALID_COMMAND); avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
return; return;
} }
@ -1164,7 +1169,6 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
break; break;
case AVRCP_PDU_ID_SET_ADDRESSED_PLAYER:{ case AVRCP_PDU_ID_SET_ADDRESSED_PLAYER:{
if ((pos + 2) > size) return;
bool ok = length == 4; bool ok = length == 4;
if (avrcp_target_context.set_addressed_player_callback != NULL){ if (avrcp_target_context.set_addressed_player_callback != NULL){
uint16_t player_id = big_endian_read_16(packet, pos); uint16_t player_id = big_endian_read_16(packet, pos);
@ -1178,6 +1182,10 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
break; break;
} }
case AVRCP_PDU_ID_GET_CAPABILITIES:{ case AVRCP_PDU_ID_GET_CAPABILITIES:{
if (length != 1){
avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
return;
}
avrcp_capability_id_t capability_id = (avrcp_capability_id_t) packet[pos]; avrcp_capability_id_t capability_id = (avrcp_capability_id_t) packet[pos];
switch (capability_id){ switch (capability_id){
case AVRCP_CAPABILITY_ID_EVENT: case AVRCP_CAPABILITY_ID_EVENT:
@ -1196,8 +1204,12 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
avrcp_target_emit_respond_vendor_dependent_query(avrcp_target_context.avrcp_callback, connection->avrcp_cid, AVRCP_SUBEVENT_PLAY_STATUS_QUERY); avrcp_target_emit_respond_vendor_dependent_query(avrcp_target_context.avrcp_callback, connection->avrcp_cid, AVRCP_SUBEVENT_PLAY_STATUS_QUERY);
break; break;
case AVRCP_PDU_ID_REQUEST_ABORT_CONTINUING_RESPONSE: case AVRCP_PDU_ID_REQUEST_ABORT_CONTINUING_RESPONSE:
if ((pos + 1) > size) return; if (length != 1){
connection->target_abort_continue_response = true; avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
return;
}
connection->target_abort_continue_response = false;
connection->state = AVCTP_W2_SEND_RESPONSE; connection->state = AVCTP_W2_SEND_RESPONSE;
avrcp_request_can_send_now(connection, connection->l2cap_signaling_cid); avrcp_request_can_send_now(connection, connection->l2cap_signaling_cid);
break; break;
@ -1316,13 +1328,8 @@ static void avrcp_handle_l2cap_data_packet_for_signaling_connection(avrcp_connec
break; break;
} }
case AVRCP_PDU_ID_SET_ABSOLUTE_VOLUME: { case AVRCP_PDU_ID_SET_ABSOLUTE_VOLUME: {
if ((pos + 1) > size ){
avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_INVALID_COMMAND);
break;
}
if (length != 1){ if (length != 1){
avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_SPECIFIED_PARAMETER_NOT_FOUND); avrcp_target_response_vendor_dependent_reject(connection, pdu_id, AVRCP_STATUS_PARAMETER_CONTENT_ERROR);
break; break;
} }