Fix advertise data parsing

This patch fixes overflow of position variable, and possible read outside of vector boundaries when parsing advertise data. Parsing 1004 bytes of hex "112233112233.." was causing infinite loop. Bug: 30622771 Test: manual Change-Id: I0d669f7958de73f5d53350fb293ff27fea172f44

Fix advertise data parsing
ac6177ae · Jakub Pawlowski · 6fbe4548 · ac6177ae · ac6177ae
Commit ac6177ae authored 8 years ago by Jakub Pawlowski
--- a/system/stack/btm/btm_ble_gap.cc
+++ b/system/stack/btm/btm_ble_gap.cc
@@ -1117,7 +1117,7 @@ const uint8_t* BTM_CheckAdvData(std::vector<uint8_t> const& adv, uint8_t type,
    return NULL;
  }

-  uint8_t position = 0;
+  size_t position = 0;
  uint8_t length = adv[position];

  while (length > 0 && (position < adv.size())) {
@@ -1130,6 +1130,8 @@ const uint8_t* BTM_CheckAdvData(std::vector<uint8_t> const& adv, uint8_t type,
    }

    position += length + 1; /* skip the length of data */
+    if (position >= adv.size()) break;
+
    length = adv[position];
  }


--- a/system/stack/btm/btm_inq.cc
+++ b/system/stack/btm/btm_inq.cc
@@ -2318,7 +2318,7 @@ uint8_t* BTM_CheckEirData(uint8_t* p_eir, size_t eir_len, uint8_t type,
    return NULL;
  }

-  uint8_t position = 0;
+  size_t position = 0;
  uint8_t length = p_eir[position];

  while (length > 0 && (position < eir_len)) {
@@ -2331,6 +2331,8 @@ uint8_t* BTM_CheckEirData(uint8_t* p_eir, size_t eir_len, uint8_t type,
    }

    position += length + 1; /* skip the length of data */
+    if (position >= eir_len) break;
+
    length = p_eir[position];
  }