Fix potential buffer overflow and uninitialized read in reassemble_an…

…d_dispatch_iso Tag: #security Test: compilation Bug: 188673156 Change-Id: Id9f2acfde05da681c82adc25d602cc48a2bc5df9
ProjectRadiant · Jun 25, 2021 · 052a5de · 052a5de
1 parent 04d9e7c
commit 052a5de
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
@@ -254,8 +254,10 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) {
         return;
       }
 
-      if ((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) &&
-          (iso_full_len != packet->len)) {
+      if (((boundary_flag == HCI_ISO_BF_COMPLETE_PACKET) &&
+           (iso_full_len != packet->len)) ||
+          ((boundary_flag == HCI_ISO_BF_FIRST_FRAGMENTED_PACKET) &&
+           (iso_full_len <= packet->len))) {
         LOG_ERROR("%s corrupted ISO frame", __func__);
         return;
       }
@@ -324,6 +326,18 @@ static void reassemble_and_dispatch_iso(UNUSED_ATTR BT_HDR* packet) {
         return;
       }
 
+      if (partial_packet->len !=
+          partial_packet->offset + packet->len - HCI_ISO_PREAMBLE_SIZE) {
+        LOG_ERROR(
+            "%s got last fragment, but it doesn't fill up the whole packet of "
+            "size %d",
+            __func__, partial_packet->len);
+        buffer_allocator->free(packet);
+        partial_iso_packets.erase(map_iter);
+        buffer_allocator->free(partial_packet);
+        return;
+      }
+
       partial_packet->layer_specific |= BT_ISO_HDR_OFFSET_POINTS_DATA;
       partial_packet->offset = HCI_ISO_PREAMBLE_SIZE;
       if (partial_packet->layer_specific & BT_ISO_HDR_CONTAINS_TS)