Merge branch 'bugfix/possible_buffer_overflow' into 'master'

Bugfix/possible buffer overflow

Closes BT-4111

See merge request espressif/esp-idf!41878

Author: wmy-espressif

components/bt/host/bluedroid/bta/av/bta_av_act.c

@@ -685,11 +685,18 @@ static tAVRC_STS bta_av_chk_notif_evt_id(tAVRC_MSG_VENDOR *p_vendor)
 {
     tAVRC_STS   status = BTA_AV_STS_NO_RSP;
     UINT16      u16;
-    UINT8       *p = p_vendor->p_vendor_data + 2;
+    UINT8       *p = NULL;
+
+    if (!p_vendor || !p_vendor->p_vendor_data ||
+        (p_vendor->vendor_len != AVRC_REGISTER_NOTIFICATION_CMD_SIZE)) {
+        return AVRC_STS_INTERNAL_ERR;
+    }
+
+    p = p_vendor->p_vendor_data + AVRC_CMD_PARAM_LENGTH_OFFSET;
 
     BE_STREAM_TO_UINT16 (u16, p);
     /* double check the fixed length */
-    if ((u16 != 5) || (p_vendor->vendor_len != 9)) {
+    if (u16 != 5) {
         status = AVRC_STS_INTERNAL_ERR;
     } else {
         /* make sure the event_id is valid */
@@ -722,6 +729,12 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE  *p_rc_rsp, tBTA_AV_RC_MSG *p_ms
 
 #if (AVRC_METADATA_INCLUDED == TRUE)
 
+    if (!p_vendor || !p_vendor->p_vendor_data || (p_vendor->vendor_len == 0)) {
+        evt = 0;
+        p_rc_rsp->rsp.status = AVRC_STS_BAD_CMD;
+        return evt;
+    }
+
     pdu = *(p_vendor->p_vendor_data);
     p_rc_rsp->pdu = pdu;
     *p_ctype = AVRC_RSP_REJ;
@@ -741,12 +754,16 @@ tBTA_AV_EVT bta_av_proc_meta_cmd(tAVRC_RESPONSE  *p_rc_rsp, tBTA_AV_RC_MSG *p_ms
         switch (pdu) {
         case AVRC_PDU_GET_CAPABILITIES:
             /* process GetCapabilities command without reporting the event to app */
+            if (p_vendor->vendor_len != AVRC_GET_CAPABILITIES_CMD_SIZE) {
+                p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
+                break;
+            }
             evt = 0;
-            u8 = *(p_vendor->p_vendor_data + 4);
-            p = p_vendor->p_vendor_data + 2;
+            u8 = *(p_vendor->p_vendor_data + AVRC_CMD_PARAM_VALUE_OFFSET);
+            p = p_vendor->p_vendor_data + AVRC_CMD_PARAM_LENGTH_OFFSET;
             p_rc_rsp->get_caps.capability_id = u8;
             BE_STREAM_TO_UINT16 (u16, p);
-            if ((u16 != 1) || (p_vendor->vendor_len != 5)) {
+            if (u16 != 1) {
                 p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
             } else {
                 p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR;

components/bt/host/bluedroid/btc/profile/std/avrc/btc_avrc.c

@@ -582,22 +582,35 @@ static void handle_rc_disconnect (tBTA_AV_RC_CLOSE *p_rc_close)
 
 static void handle_rc_attributes_rsp (tAVRC_MSG_VENDOR *vendor_msg)
 {
-    uint8_t attr_count = vendor_msg->p_vendor_data[4];
+    uint8_t attr_count = 0;
     int attr_index = 5;
     int attr_length = 0;
     uint32_t attr_id = 0;
 
+    if (!vendor_msg || !vendor_msg->p_vendor_data ||
+        (vendor_msg->vendor_len < AVRC_GET_ELEMENT_ATTR_RSP_SIZE_MIN)) {
+        return;
+    }
+
     //Check if there are any attributes
-    if (attr_count < 1) {
+    if ((attr_count = vendor_msg->p_vendor_data[AVRC_RSP_PARAM_VALUE_OFFSET]) < 1) {
         return;
     }
 
     esp_avrc_ct_cb_param_t param[attr_count];
     memset(&param[0], 0, sizeof(esp_avrc_ct_cb_param_t) * attr_count);
 
     for (int i = 0; i < attr_count; i++) {
+        if (vendor_msg->vendor_len < attr_index + 8) {
+            return;
+        }
+
         attr_length = (int) vendor_msg->p_vendor_data[7 + attr_index] | vendor_msg->p_vendor_data[6 + attr_index] << 8;
 
+        if (vendor_msg->vendor_len < attr_index + attr_length + 8) {
+            return;
+        }
+
         //Received attribute text is not null terminated, so it's useful to know it's length
         param[i].meta_rsp.attr_length = attr_length;
         param[i].meta_rsp.attr_text = &vendor_msg->p_vendor_data[8 + attr_index];
@@ -620,30 +633,52 @@ static void handle_rc_notification_rsp (tAVRC_MSG_VENDOR *vendor_msg)
     esp_avrc_ct_cb_param_t param;
     memset(&param, 0, sizeof(esp_avrc_ct_cb_param_t));
 
-    param.change_ntf.event_id = vendor_msg->p_vendor_data[4];
+    if (!vendor_msg || !vendor_msg->p_vendor_data ||
+        (vendor_msg->vendor_len < AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN)) {
+        return;
+    }
+
+    param.change_ntf.event_id = vendor_msg->p_vendor_data[AVRC_RSP_PARAM_VALUE_OFFSET];
 
-    uint8_t *data = &vendor_msg->p_vendor_data[5];
+    uint8_t *data = &vendor_msg->p_vendor_data[AVRC_RSP_PARAM_VALUE_OFFSET + 1];
     if (!btc_avrc_ct_rn_evt_supported(param.change_ntf.event_id)) {
         BTC_TRACE_WARNING("%s unsupported notification on CT, event id 0x%x", __FUNCTION__,
                           param.change_ntf.event_id);
         return;
     }
 
+
+    bool notif = false;
     switch (param.change_ntf.event_id) {
     case ESP_AVRC_RN_PLAY_STATUS_CHANGE:
-        BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.playback, data);
+        if (vendor_msg->vendor_len >= AVRC_RN_PLAY_STATUS_CHANGE_EVT_SIZE) {
+            BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.playback, data);
+            notif = true;
+        }
         break;
     case ESP_AVRC_RN_TRACK_CHANGE:
-        memcpy(param.change_ntf.event_parameter.elm_id, data, 8);
+        if (vendor_msg->vendor_len >= AVRC_RN_TRACK_CHANGE_EVT_SIZE) {
+            memcpy(param.change_ntf.event_parameter.elm_id, data, 8);
+            notif = true;
+        }
         break;
     case ESP_AVRC_RN_PLAY_POS_CHANGED:
-        BE_STREAM_TO_UINT32(param.change_ntf.event_parameter.play_pos, data);
+        if (vendor_msg->vendor_len >= AVRC_RN_PLAY_POS_CHANGED_EVT_SIZE) {
+            BE_STREAM_TO_UINT32(param.change_ntf.event_parameter.play_pos, data);
+            notif = true;
+        }
         break;
     case ESP_AVRC_RN_BATTERY_STATUS_CHANGE:
-        BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.batt, data);
+        if (vendor_msg->vendor_len >= AVRC_RN_BATTERY_STATUS_CHANGE_EVT_SIZE) {
+            BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.batt, data);
+            notif = true;
+        }
         break;
     case ESP_AVRC_RN_VOLUME_CHANGE:
-        BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.volume, data);
+        if (vendor_msg->vendor_len >= AVRC_RN_VOLUME_CHANGE_EVT_SIZE) {
+            BE_STREAM_TO_UINT8(param.change_ntf.event_parameter.volume, data);
+            notif = true;
+        }
         break;
     // for non-parameter event response
     case ESP_AVRC_RN_TRACK_REACHED_END:
@@ -661,7 +696,10 @@ static void handle_rc_notification_rsp (tAVRC_MSG_VENDOR *vendor_msg)
                           param.change_ntf.event_id);
         break;
     }
-    btc_avrc_ct_cb_to_app(ESP_AVRC_CT_CHANGE_NOTIFY_EVT, &param);
+
+    if (notif) {
+        btc_avrc_ct_cb_to_app(ESP_AVRC_CT_CHANGE_NOTIFY_EVT, &param);
+    }
 }
 
 static void handle_rc_get_caps_rsp (tAVRC_GET_CAPS_RSP *rsp)
@@ -852,7 +890,7 @@ static void handle_rc_metamsg_rsp (tBTA_AV_META_MSG *p_meta_msg)
     tAVRC_RESPONSE avrc_response = {0};
     tAVRC_STS status;
     tAVRC_MSG_VENDOR *vendor_msg = &p_meta_msg->p_msg->vendor;
-    BTC_TRACE_DEBUG("%s: opcode %d, pdu 0x%x, code %d", __FUNCTION__, p_meta_msg->p_msg->hdr.opcode, vendor_msg->p_vendor_data[0],
+    BTC_TRACE_DEBUG("%s: opcode %d, pdu 0x%x, code %d", __FUNCTION__, p_meta_msg->p_msg->hdr.opcode, vendor_msg->p_vendor_data[AVRC_RSP_OPCODE_OFFSET],
                     p_meta_msg->code);
     if ( p_meta_msg->p_msg->hdr.opcode != AVRC_OP_VENDOR) {
         return;
@@ -868,7 +906,7 @@ static void handle_rc_metamsg_rsp (tBTA_AV_META_MSG *p_meta_msg)
 
     // handle GET_ELEMENT_ATTR response
     if (p_meta_msg->code == AVRC_RSP_IMPL_STBL &&
-            vendor_msg->p_vendor_data[0] == AVRC_PDU_GET_ELEMENT_ATTR) {
+            vendor_msg->p_vendor_data[AVRC_RSP_OPCODE_OFFSET] == AVRC_PDU_GET_ELEMENT_ATTR) {
         handle_rc_attributes_rsp(vendor_msg);
         return;
     }

components/bt/host/bluedroid/stack/avrc/avrc_api.c

@@ -545,7 +545,22 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
 
     p_data  = (UINT8 *)(p_pkt + 1) + p_pkt->offset;
     memset(&msg, 0, sizeof(tAVRC_MSG) );
-    {
+
+    if (p_pkt->layer_specific == AVCT_DATA_BROWSE) {
+        // opcode = AVRC_OP_BROWSE;
+        // msg.browse.hdr.ctype = cr;
+        // msg.browse.p_browse_data = p_data;
+        // msg.browse.browse_len = p_pkt->len;
+        // msg.browse.p_browse_pkt = p_pkt;
+        AVRC_TRACE_ERROR("BROWSE CHANNEL NOT SUPPORTED NOW!");
+        osi_free(p_pkt);
+        return;
+    } else {
+        if (p_pkt->len < AVRC_AVC_HDR_SIZE) {
+            AVRC_TRACE_WARNING("Bad message length:%d (< %d)", p_pkt->len, AVRC_AVC_HDR_SIZE);
+            osi_free(p_pkt);
+            return;
+        }
         msg.hdr.ctype           = p_data[0] & AVRC_CTYPE_MASK;
         AVRC_TRACE_DEBUG("avrc_msg_cback handle:%d, ctype:%d, offset:%d, len: %d",
                          handle, msg.hdr.ctype, p_pkt->offset, p_pkt->len);
@@ -578,6 +593,14 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
                 p_drop_msg = "auto respond";
 #endif
             } else {
+                if (p_pkt->len < AVRC_OP_UNIT_INFO_RSP_LEN) {
+                    AVRC_TRACE_WARNING("Bad message length:%d (< %d)", p_pkt->len, AVRC_OP_UNIT_INFO_RSP_LEN);
+                    drop = TRUE;
+#if (BT_USE_TRACES == TRUE)
+                    p_drop_msg = "UNIT_INFO_RSP too short";
+#endif
+                    break;
+                }
                 /* parse response */
                 p_data += 4; /* 3 bytes: ctype, subunit*, opcode + octet 3 (is 7)*/
                 msg.unit.unit_type  = (*p_data & AVRC_SUBTYPE_MASK) >> AVRC_SUBTYPE_SHIFT;
@@ -594,7 +617,7 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
                 p_rsp_data = avrc_get_data_ptr(p_rsp);
                 *p_rsp_data = AVRC_RSP_IMPL_STBL;
                 /* check & set the offset. set response code, set (subunit_type & subunit_id),
-                   set AVRC_OP_SUB_INFO, set (page & extention code) */
+                   set AVRC_OP_SUB_INFO, set (page & extension code) */
                 p_rsp_data      += 4;
                 /* Panel subunit & id=0 */
                 *p_rsp_data++   = (AVRC_SUB_PANEL << AVRC_SUBTYPE_SHIFT);
@@ -606,6 +629,14 @@ static void avrc_msg_cback(UINT8 handle, UINT8 label, UINT8 cr,
                 p_drop_msg = "auto responded";
 #endif
             } else {
+                if (p_pkt->len < AVRC_OP_SUB_UNIT_INFO_RSP_LEN) {
+                    AVRC_TRACE_WARNING("Bad message length:%d (< %d)", p_pkt->len, AVRC_OP_SUB_UNIT_INFO_RSP_LEN);
+                    drop = TRUE;
+#if (BT_USE_TRACES == TRUE)
+                    p_drop_msg = "UNIT_INFO_RSP too short";
+#endif
+                    break;
+                }
                 /* parse response */
                 p_data += AVRC_AVC_HDR_SIZE; /* 3 bytes: ctype, subunit*, opcode */
                 msg.sub.page    = (*p_data++ >> AVRC_SUB_PAGE_SHIFT) & AVRC_SUB_PAGE_MASK;

components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c

@@ -56,7 +56,7 @@ static tAVRC_STS avrc_pars_vendor_cmd(tAVRC_MSG_VENDOR *p_msg, tAVRC_COMMAND *p_
     if (p_msg->vendor_len == 0) {
         return AVRC_STS_NO_ERROR;
     }
-    if (p_msg->p_vendor_data == NULL) {
+    if ((p_msg->p_vendor_data == NULL) || (p_msg->vendor_len < AVRC_CMD_FIXED_SIZE)) {
         return AVRC_STS_INTERNAL_ERR;
     }
 

components/bt/host/bluedroid/stack/include/stack/avrc_defs.h

@@ -214,6 +214,55 @@
 #define AVRC_PDU_ADD_TO_NOW_PLAYING             0x90
 #define AVRC_PDU_GENERAL_REJECT                 0xA0
 
+/* Define the length of vendor dependent PDUs
+*/
+#define AVRC_CMD_PARAM_LENGTH_OFFSET                 2
+#define AVRC_CMD_PARAM_VALUE_OFFSET                  4
+#define AVRC_CMD_FIXED_SIZE                          4
+
+#define AVRC_GET_CAPABILITIES_CMD_SIZE               (AVRC_CMD_FIXED_SIZE + 1)
+#define AVRC_LIST_PLAYER_APP_ATTR_CMD_SIZE           (AVRC_CMD_FIXED_SIZE + 0)
+#define AVRC_LIST_PLAYER_APP_VALUES_CMD_SIZE         (AVRC_CMD_FIXED_SIZE + 1)
+#define AVRC_GET_CUR_PLAYER_APP_VALUE_CMD_SIZE       (AVRC_CMD_FIXED_SIZE + 2)
+#define AVRC_SET_PLAYER_APP_VALUE_CMD_SIZE           (AVRC_CMD_FIXED_SIZE + 3)
+#define AVRC_GET_PLAYER_APP_ATTR_TEXT_CMD_SIZE       (AVRC_CMD_FIXED_SIZE + 2)
+#define AVRC_GET_PLAYER_APP_VALUE_TEXT_CMD_SIZE      (AVRC_CMD_FIXED_SIZE + 3)
+#define AVRC_INFORM_DISPLAY_CHARSET_CMD_SIZE         (AVRC_CMD_FIXED_SIZE + 3)
+#define AVRC_INFORM_BATTERY_STAT_OF_CT_CMD_SIZE      (AVRC_CMD_FIXED_SIZE + 1)
+#define AVRC_GET_ELEMENT_ATTR_CMD_SIZE               (AVRC_CMD_FIXED_SIZE + 13)
+#define AVRC_GET_PLAY_STATUS_CMD_SIZE                (AVRC_CMD_FIXED_SIZE + 0)
+#define AVRC_REGISTER_NOTIFICATION_CMD_SIZE          (AVRC_CMD_FIXED_SIZE + 5)
+#define AVRC_REQUEST_CONTINUATION_RSP_CMD_SIZE       (AVRC_CMD_FIXED_SIZE + 1)
+#define AVRC_ABORT_CONTINUATION_RSP_CMD_SIZE         (AVRC_CMD_FIXED_SIZE + 1)
+
+/* Define the length of response of vendor dependent PDUs
+*/
+#define AVRC_RSP_OPCODE_OFFSET                       0
+#define AVRC_RSP_PARAM_LENGTH_OFFSET                 2
+#define AVRC_RSP_PARAM_VALUE_OFFSET                  4
+#define AVRC_RSP_FIXED_SIZE                          4
+
+#define AVRC_GET_CAPABILITIES_RSP_SIZE_MIN           (AVRC_RSP_FIXED_SIZE + 1)
+#define AVRC_LIST_PLAYER_APP_ATTR_RSP_SIZE           (AVRC_RSP_FIXED_SIZE + 2)
+#define AVRC_LIST_PLAYER_APP_VALUES_RSP_SIZE         (AVRC_RSP_FIXED_SIZE + 2)
+#define AVRC_GET_CUR_PLAYER_APP_VALUE_RSP_SIZE       (AVRC_RSP_FIXED_SIZE + 3)
+#define AVRC_SET_PLAYER_APP_VALUE_RSP_SIZE           (AVRC_RSP_FIXED_SIZE + 2)
+#define AVRC_GET_PLAYER_APP_ATTR_TEXT_RSP_SIZE_MIN   (AVRC_RSP_FIXED_SIZE + 6)
+#define AVRC_GET_PLAYER_APP_VALUE_TEXT_RSP_SIZE_MIN  (AVRC_RSP_FIXED_SIZE + 6)
+#define AVRC_INFORM_DISPLAY_CHARSET_RSP_SIZE         (AVRC_RSP_FIXED_SIZE + 0)
+#define AVRC_INFORM_BATTERY_STAT_OF_CT_RSP_SIZE      (AVRC_RSP_FIXED_SIZE + 0)
+#define AVRC_GET_ELEMENT_ATTR_RSP_SIZE_MIN           (AVRC_RSP_FIXED_SIZE + 1)
+#define AVRC_GET_PLAY_STATUS_RSP_SIZE                (AVRC_RSP_FIXED_SIZE + 9)
+#define AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN      (AVRC_RSP_FIXED_SIZE + 2)
+#define AVRC_RN_PLAY_STATUS_CHANGE_EVT_SIZE          (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN)
+#define AVRC_RN_TRACK_CHANGE_EVT_SIZE                (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN + 7)
+#define AVRC_RN_PLAY_POS_CHANGED_EVT_SIZE            (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN + 3)
+#define AVRC_RN_BATTERY_STATUS_CHANGE_EVT_SIZE       (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN)
+#define AVRC_RN_SYSTEM_STATUS_CHANGE_EVT_SIZE        (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN)
+#define AVRC_RN_APP_SETTING_CHANGE_EVT_SIZE          (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN + 2)
+#define AVRC_RN_VOLUME_CHANGE_EVT_SIZE               (AVRC_REGISTER_NOTIFICATION_RSP_SIZE_MIN)
+#define AVRC_ABORT_CONTINUATION_RSP_RSP_SIZE         (AVRC_RSP_FIXED_SIZE + 0)
+
 /* Define the vendor unique id carried in the pass through data
 */
 #define AVRC_PDU_NEXT_GROUP                     0x00

components/bt/host/bluedroid/stack/include/stack/rfcdefs.h

@@ -42,7 +42,7 @@
 #define RFCOMM_UIH                      0xEF
 
 /*
-** Defenitions for the TS control frames
+** Definitions for the TS control frames
 */
 #define RFCOMM_CTRL_FRAME_LEN           3
 #define RFCOMM_MIN_OFFSET               5 /* ctrl 2 , len 1 or 2 bytes, credit 1 byte */
@@ -90,13 +90,6 @@
     pf   = (*p_data++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET;\
 }
 
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data)          \
-{                                                           \
-    ea = (*p_data & RFCOMM_EA);                             \
-    length = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);           \
-    if (!ea) length += (*p_data++ << RFCOMM_SHIFT_LENGTH2); \
-}
-
 #define RFCOMM_FRAME_IS_CMD(initiator, cr)                  \
     (( (initiator) && !(cr)) || (!(initiator) &&  (cr)))
 
@@ -139,7 +132,7 @@
 #define RFCOMM_MSC_FC               0x02          /* Flow control*/
 #define RFCOMM_MSC_RTC              0x04          /* Ready to communicate*/
 #define RFCOMM_MSC_RTR              0x08          /* Ready to receive*/
-#define RFCOMM_MSC_IC               0x40          /* Incomming call indicator*/
+#define RFCOMM_MSC_IC               0x40          /* Incoming call indicator*/
 #define RFCOMM_MSC_DV               0x80          /* Data Valid*/
 
 #define RFCOMM_MSC_SHIFT_BREAK          4

components/bt/host/bluedroid/stack/include/stack/sdp_api.h

@@ -96,8 +96,8 @@ typedef struct {
         UINT8       u8;                         /* 8-bit integer            */
         UINT16      u16;                        /* 16-bit integer           */
         UINT32      u32;                        /* 32-bit integer           */
-        UINT8       array[4];                   /* Variable length field    */
         struct t_sdp_disc_attr *p_sub_attr;     /* Addr of first sub-attr (list)*/
+        UINT8       array[];                    /* Variable length field    */
     } v;
 
 } tSDP_DISC_ATVAL;