Skip to content

November Patches #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: 12.1
Choose a base branch
from
Open

November Patches #2

wants to merge 8 commits into from

Conversation

OhMyVenyx
Copy link

No description provided.

Brian Delwiche and others added 8 commits November 13, 2022 14:28
@OhMyVenyx
Add negative length check in process_service_search_rsp
81d7f88 
Bug: 225876506
Test: run supplied POC (updated to Android T)
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
(cherry picked from commit eac9616fc32f0bf40d2d2e6d1ff7b453edffc01c)
Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca
@OhMyVenyx
Add length check when copy AVDTP packet
5de563e 
Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
(cherry picked from commit a75b650a2a4b6b62be1ceb2040c598b0feb0dacb)
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
@OhMyVenyx
Added max buffer length check
ff17cbe 
Bug: 230867224
Test: Manual -- paired Bluetooth headset and played audio
Tags: #security
Ignore-AOSP-First: Security
Change-Id: I740038288143715a1c06db781efd674b269a7f3e
(cherry picked from commit 2992109ab975def57192c5e3d40078e69b1e8717)
Merged-In: I740038288143715a1c06db781efd674b269a7f3e
@OhMyVenyx
Add missing increment in bnep_api.cc
b141797 
Bug: 228450451
Test: manual, pair BT and play audio
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I681878508feae3d0526ed3e928af7a415e7d5c36
(cherry picked from commit 0fa54c7d8a2c061202e61d75b805661c1e89a76d)
Merged-In: I681878508feae3d0526ed3e928af7a415e7d5c36
@ek9852 @OhMyVenyx
Add length check when copy AVDT and AVCT packet
d78e371 
Previous fix for AVDT causing memory leak.
And missing similar fix for AVCT packet.

Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
Change-Id: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
(cherry picked from commit 62986e6a11a7340925d79c4282513aebc28da176)
Merged-In: Ifa8ed1cd9ea118acba78bdfdf6d5861fad254a90
@ek9852 @OhMyVenyx
Fix integer overflow when parsing avrc response
3e0f199 
Convert min_len from 16 bits to 32 bits to avoid
length checking overflow.
Also, use calloc instead of malloc for list allocation
since caller need to clean up string memory in the list items

Bug: 242459126
Test: fuzz_avrc
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
Change-Id: I7250509f2b320774926a8b24fd28828c5217d8a4
(cherry picked from commit a593687d6ad3978f48e2aa7be57d8239acdfa501)
Merged-In: I7250509f2b320774926a8b24fd28828c5217d8a4
@OhMyVenyx
DO NOT MERGE: Fix possible OOB when AVDT data channel recive ACL data
68c761e 
Bug: 111450156

Change-Id: Id23eeedcb7bde5866cd53a2f7f1c30f27c5352f6
(cherry picked from commit b0125caafec2183d73fc899ce5a8aee43a6e54af)
(cherry picked from commit f349ff0c65523437b3f20ef54a7b0e5fd56364dc)
@OhMyVenyx
AVRC: Validating msg size before accessing fields
d848346 
This change adds buffer length validation during the parsing of AVRCP
browse commands.

Change-Id: I3a6c7a9ea2323a04ce5c5368eabfa940a8152cba
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@OhMyVenyx @ek9852