From: "Pali Rohár" <pali.rohar@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH v2 01/10] avinfo: Fix buffer overflow when parsing broken/malicious data
Date: Sun, 23 Dec 2018 11:40:12 +0100 [thread overview]
Message-ID: <20181223104021.18620-2-pali.rohar@gmail.com> (raw)
In-Reply-To: <20181223104021.18620-1-pali.rohar@gmail.com>
Check size of buffer prior casting it to struct.
---
tools/avinfo.c | 92 +++++++++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 72 insertions(+), 20 deletions(-)
diff --git a/tools/avinfo.c b/tools/avinfo.c
index 31c4e106e..3f6cdbc0e 100644
--- a/tools/avinfo.c
+++ b/tools/avinfo.c
@@ -167,10 +167,15 @@ struct avdtp_content_protection_capability {
uint8_t data[0];
} __attribute__ ((packed));
-static void print_aptx(a2dp_aptx_t *aptx)
+static void print_aptx(a2dp_aptx_t *aptx, uint8_t size)
{
printf("\t\tVendor Specific Value (aptX)");
+ if (size < sizeof(*aptx)) {
+ printf(" (broken)\n");
+ return;
+ }
+
printf("\n\t\t\tFrequencies: ");
if (aptx->frequency & APTX_SAMPLING_FREQ_16000)
printf("16kHz ");
@@ -190,20 +195,34 @@ static void print_aptx(a2dp_aptx_t *aptx)
printf("\n");
}
-static void print_ldac(a2dp_ldac_t *ldac)
+static void print_ldac(a2dp_ldac_t *ldac, uint8_t size)
{
printf("\t\tVendor Specific Value (LDAC)");
+ if (size < sizeof(*ldac)) {
+ printf(" (broken)\n");
+ return;
+ }
+
printf("\n\t\t\tUnknown: %02x %02x", ldac->unknown[0],
ldac->unknown[1]);
printf("\n");
}
-static void print_vendor(a2dp_vendor_codec_t *vendor)
+static void print_vendor(a2dp_vendor_codec_t *vendor, uint8_t size)
{
- uint32_t vendor_id = btohl(vendor->vendor_id);
- uint16_t codec_id = btohs(vendor->codec_id);
+ uint32_t vendor_id;
+ uint16_t codec_id;
+ uint8_t i;
+
+ if (size < sizeof(*vendor)) {
+ printf("\tMedia Codec: Vendor Specific A2DP Codec (broken)");
+ return;
+ }
+
+ vendor_id = btohl(vendor->vendor_id);
+ codec_id = btohs(vendor->codec_id);
printf("\tMedia Codec: Vendor Specific A2DP Codec");
@@ -212,15 +231,22 @@ static void print_vendor(a2dp_vendor_codec_t *vendor)
printf("\n\t\tVendor Specific Codec ID 0x%04x\n", codec_id);
if (vendor_id == APTX_VENDOR_ID && codec_id == APTX_CODEC_ID)
- print_aptx((void *) vendor);
+ print_aptx((void *) vendor, size);
else if (vendor_id == LDAC_VENDOR_ID && codec_id == LDAC_CODEC_ID)
- print_ldac((void *) vendor);
+ print_ldac((void *) vendor, size);
}
-static void print_mpeg24(a2dp_aac_t *aac)
+static void print_mpeg24(a2dp_aac_t *aac, uint8_t size)
{
- unsigned freq = AAC_GET_FREQUENCY(*aac);
- unsigned bitrate = AAC_GET_BITRATE(*aac);
+ unsigned int freq, bitrate;
+
+ if (size < sizeof(*aac)) {
+ printf("\tMedia Codec: MPEG24 (broken)\n");
+ return;
+ }
+
+ freq = AAC_GET_FREQUENCY(*aac);
+ bitrate = AAC_GET_BITRATE(*aac);
printf("\tMedia Codec: MPEG24\n\t\tObject Types: ");
@@ -270,8 +296,13 @@ static void print_mpeg24(a2dp_aac_t *aac)
printf("\n\t\tVBR: %s", aac->vbr ? "Yes\n" : "No\n");
}
-static void print_mpeg12(a2dp_mpeg_t *mpeg)
+static void print_mpeg12(a2dp_mpeg_t *mpeg, uint8_t size)
{
+ if (size < sizeof(*mpeg)) {
+ printf("\tMedia Codec: MPEG12 (broken)\n");
+ return;
+ }
+
printf("\tMedia Codec: MPEG12\n\t\tChannel Modes: ");
if (mpeg->channel_mode & MPEG_CHANNEL_MODE_MONO)
@@ -351,8 +382,13 @@ static void print_mpeg12(a2dp_mpeg_t *mpeg)
printf("RFC-2250\n");
}
-static void print_sbc(a2dp_sbc_t *sbc)
+static void print_sbc(a2dp_sbc_t *sbc, uint8_t size)
{
+ if (size < sizeof(*sbc)) {
+ printf("\tMedia Codec: SBC (broken)\n");
+ return;
+ }
+
printf("\tMedia Codec: SBC\n\t\tChannel Modes: ");
if (sbc->channel_mode & SBC_CHANNEL_MODE_MONO)
@@ -394,20 +430,27 @@ static void print_sbc(a2dp_sbc_t *sbc)
sbc->min_bitpool, sbc->max_bitpool);
}
-static void print_media_codec(struct avdtp_media_codec_capability *cap)
+static void print_media_codec(
+ struct avdtp_media_codec_capability *cap,
+ uint8_t size)
{
+ if (size < sizeof(*cap)) {
+ printf("\tMedia Codec: Unknown (broken)\n");
+ return;
+ }
+
switch (cap->media_codec_type) {
case A2DP_CODEC_SBC:
- print_sbc((void *) cap->data);
+ print_sbc((void *) cap->data, size - 2);
break;
case A2DP_CODEC_MPEG12:
- print_mpeg12((void *) cap->data);
+ print_mpeg12((void *) cap->data, size - 2);
break;
case A2DP_CODEC_MPEG24:
- print_mpeg24((void *) cap->data);
+ print_mpeg24((void *) cap->data, size - 2);
break;
case A2DP_CODEC_VENDOR:
- print_vendor((void *) cap->data);
+ print_vendor((void *) cap->data, size - 2);
break;
default:
printf("\tMedia Codec: Unknown\n");
@@ -415,10 +458,16 @@ static void print_media_codec(struct avdtp_media_codec_capability *cap)
}
static void print_content_protection(
- struct avdtp_content_protection_capability *cap)
+ struct avdtp_content_protection_capability *cap,
+ uint8_t size)
{
printf("\tContent Protection: ");
+ if (size < sizeof(*cap)) {
+ printf("Unknown (broken)\n");
+ return;
+ }
+
switch (btohs(cap->content_protection_type)) {
case AVDTP_CONTENT_PROTECTION_TYPE_DTCP:
printf("DTCP");
@@ -452,13 +501,16 @@ static void print_caps(void *data, int size)
case AVDTP_REPORTING:
case AVDTP_RECOVERY:
case AVDTP_MULTIPLEXING:
+ default:
/* FIXME: Add proper functions */
+ printf("\tUnknown category: %d\n", cap->category);
break;
case AVDTP_MEDIA_CODEC:
- print_media_codec((void *) cap->data);
+ print_media_codec((void *) cap->data, cap->length);
break;
case AVDTP_CONTENT_PROTECTION:
- print_content_protection((void *) cap->data);
+ print_content_protection((void *) cap->data,
+ cap->length);
break;
}
--
2.11.0
next prev parent reply other threads:[~2018-12-23 10:40 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-19 16:50 [PATCH 00/10] A2DP: Fix endianity and define new A2DP codecs Pali Rohár
2018-12-19 16:51 ` [PATCH 01/10] avinfo: Fix buffer overflow when parsing broken/malicious data Pali Rohár
2018-12-19 16:51 ` [PATCH 02/10] avinfo: Show Vendor Specific Data Pali Rohár
2018-12-19 16:51 ` [PATCH 03/10] a2dp-codecs: Add SBC prefix for MIN/MAX_BITPOOL constants Pali Rohár
2018-12-19 16:51 ` [PATCH 04/10] a2dp-codecs: Fix codec id for ATRAC Pali Rohár
2018-12-19 16:51 ` [PATCH 05/10] a2dp-codecs & avinfo: Fix parsing MPEG bit rate values Pali Rohár
2018-12-19 16:51 ` [PATCH 06/10] a2dp-codecs: Define a2dp_vendor_codec_t struct in endian neutral way Pali Rohár
2018-12-19 16:51 ` [PATCH 07/10] a2dp-codecs: Add needed includes and properly check for endian macros Pali Rohár
2018-12-19 16:51 ` [PATCH 08/10] a2dp-codecs: Properly define macros and struct for LDAC codec Pali Rohár
2018-12-19 16:51 ` [PATCH 09/10] a2dp-codecs: Add macros and structures for FastStream, aptX Low Latency and aptX HD codecs Pali Rohár
2018-12-19 16:51 ` [PATCH 10/10] avinfo: Parse information about A2DP codecs: FastStream, aptX Low Latency, aptX HD and LDAC Pali Rohár
2018-12-22 22:54 ` [PATCH 00/10] A2DP: Fix endianity and define new A2DP codecs Luiz Augusto von Dentz
2018-12-23 9:30 ` Pali Rohár
2018-12-23 10:40 ` [PATCH v2 " Pali Rohár
2018-12-23 10:40 ` Pali Rohár [this message]
2018-12-23 10:40 ` [PATCH v2 02/10] avinfo: Show Vendor Specific Data Pali Rohár
2018-12-23 10:40 ` [PATCH v2 03/10] a2dp-codecs: Add SBC prefix for MIN/MAX_BITPOOL constants Pali Rohár
2018-12-23 10:40 ` [PATCH v2 04/10] a2dp-codecs: Fix codec id for ATRAC Pali Rohár
2018-12-23 10:40 ` [PATCH v2 05/10] a2dp-codecs & avinfo: Fix parsing MPEG bit rate values Pali Rohár
2018-12-23 10:40 ` [PATCH v2 06/10] a2dp-codecs: Define a2dp_vendor_codec_t struct in endian neutral way Pali Rohár
2018-12-23 10:40 ` [PATCH v2 07/10] a2dp-codecs: Add needed includes and properly check for endian macros Pali Rohár
2018-12-23 10:40 ` [PATCH v2 08/10] a2dp-codecs: Properly define macros and struct for LDAC codec Pali Rohár
2018-12-23 10:40 ` [PATCH v2 09/10] a2dp-codecs: Add macros and structures for new codecs Pali Rohár
2018-12-23 10:40 ` [PATCH v2 10/10] avinfo: Parse new A2DP codecs Pali Rohár
2018-12-28 18:23 ` [PATCH v2 00/10] A2DP: Fix endianity and define " Luiz Augusto von Dentz
2018-12-28 18:59 ` Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181223104021.18620-2-pali.rohar@gmail.com \
--to=pali.rohar@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).