Bug 932490 - Fix the buffer overflows of OBEX packet. r=echou

2013-12-11 09:53:24 -05:00 · 2013-12-11 09:53:24 -05:00 · aae415e05c
--- a/dom/bluetooth/ObexBase.cpp
+++ b/dom/bluetooth/ObexBase.cpp
@ -9,7 +9,8 @@
 BEGIN_BLUETOOTH_NAMESPACE

 int
-AppendHeaderName(uint8_t* aRetBuf, const char* aName, int aLength)
+AppendHeaderName(uint8_t* aRetBuf, int aBufferSize, const char* aName,
+                 int aLength)
 {
  int headerLength = aLength + 3;

@ -17,13 +18,15 @@ AppendHeaderName(uint8_t* aRetBuf, const char* aName, int aLength)
  aRetBuf[1] = (headerLength & 0xFF00) >> 8;
  aRetBuf[2] = headerLength & 0x00FF;

-  memcpy(&aRetBuf[3], aName, aLength);
+  memcpy(&aRetBuf[3], aName, (aLength < aBufferSize - 3)? aLength
+                                                        : aBufferSize - 3);

  return headerLength;
 }

 int
-AppendHeaderBody(uint8_t* aRetBuf, uint8_t* aData, int aLength)
+AppendHeaderBody(uint8_t* aRetBuf, int aBufferSize, const uint8_t* aData,
+                 int aLength)
 {
  int headerLength = aLength + 3;

@ -31,7 +34,8 @@ AppendHeaderBody(uint8_t* aRetBuf, uint8_t* aData, int aLength)
  aRetBuf[1] = (headerLength & 0xFF00) >> 8;
  aRetBuf[2] = headerLength & 0x00FF;

-  memcpy(&aRetBuf[3], aData, aLength);
+  memcpy(&aRetBuf[3], aData, (aLength < aBufferSize - 3)? aLength
+                                                        : aBufferSize - 3);

  return headerLength;
 }
--- a/dom/bluetooth/ObexBase.h
+++ b/dom/bluetooth/ObexBase.h
@ -251,8 +251,10 @@ private:
  nsTArray<nsAutoPtr<ObexHeader> > mHeaders;
 };

-int AppendHeaderName(uint8_t* aRetBuf, const char* aName, int aLength);
-int AppendHeaderBody(uint8_t* aRetBuf, uint8_t* aData, int aLength);
+int AppendHeaderName(uint8_t* aRetBuf, int aBufferSize, const char* aName,
+                     int aLength);
+int AppendHeaderBody(uint8_t* aRetBuf, int aBufferSize, const uint8_t* aData,
+                     int aLength);
 int AppendHeaderEndOfBody(uint8_t* aRetBuf);
 int AppendHeaderLength(uint8_t* aRetBuf, int aObjectLength);
 int AppendHeaderConnectionId(uint8_t* aRetBuf, int aConnectionId);
--- a/dom/bluetooth/bluedroid/BluetoothOppManager.cpp
+++ b/dom/bluetooth/bluedroid/BluetoothOppManager.cpp
@ -46,6 +46,13 @@ static const uint32_t kUpdateProgressBase = 50 * 1024;
 */
 static const uint32_t kPutRequestHeaderSize = 6;

+/*
+ * The format of the appended header of an PUT request is
+ * [headerId:1][header length:4]
+ * P.S. Length of name header is 4 since unicode is 2 bytes per char.
+ */
+static const uint32_t kPutRequestAppendHeaderSize = 5;
+
 StaticRefPtr<BluetoothOppManager> sBluetoothOppManager;
 static bool sInShutdown = false;
 }
@ -970,6 +977,15 @@ BluetoothOppManager::ClientDataHandler(UnixSocketRawData* aMessage)
    mRemoteMaxPacketLength =
      (((int)(aMessage->mData[5]) << 8) | aMessage->mData[6]);

+    // The length of file name exceeds maximum length.
+    int fileNameByteLen = (mFileName.Length() + 1) * 2;
+    int headerLen = kPutRequestHeaderSize + kPutRequestAppendHeaderSize;
+    if (fileNameByteLen > mRemoteMaxPacketLength - headerLen) {
+      BT_WARNING("The length of file name is aberrant.");
+      SendDisconnectRequest();
+      return;
+    }
+
    SendPutHeaderRequest(mFileName, mFileLength);
  } else if (mLastCommand == ObexRequestCode::Put) {
    if (mWaitingToSendPutFinal) {
@ -1056,7 +1072,8 @@ BluetoothOppManager::SendPutHeaderRequest(const nsAString& aFileName,
  fileName[len * 2 + 1] = 0x00;

  int index = 3;
-  index += AppendHeaderName(&req[index], (char*)fileName, (len + 1) * 2);
+  index += AppendHeaderName(&req[index], mRemoteMaxPacketLength - index,
+                            (char*)fileName, (len + 1) * 2);
  index += AppendHeaderLength(&req[index], aFileSize);

  SendObexData(req, ObexRequestCode::Put, index);
@ -1069,9 +1086,8 @@ void
 BluetoothOppManager::SendPutRequest(uint8_t* aFileBody,
                                    int aFileBodyLength)
 {
-  int packetLeftSpace = mRemoteMaxPacketLength - kPutRequestHeaderSize;
-
  if (!mConnected) return;
+  int packetLeftSpace = mRemoteMaxPacketLength - kPutRequestHeaderSize;
  if (aFileBodyLength > packetLeftSpace) {
    BT_WARNING("Not allowed such a small MaxPacketLength value");
    return;
@ -1082,7 +1098,8 @@ BluetoothOppManager::SendPutRequest(uint8_t* aFileBody,
  uint8_t* req = new uint8_t[mRemoteMaxPacketLength];

  int index = 3;
-  index += AppendHeaderBody(&req[index], aFileBody, aFileBodyLength);
+  index += AppendHeaderBody(&req[index], mRemoteMaxPacketLength - index,
+                            aFileBody, aFileBodyLength);

  SendObexData(req, ObexRequestCode::Put, index);
  delete [] req;
--- a/dom/bluetooth/bluez/BluetoothOppManager.cpp
+++ b/dom/bluetooth/bluez/BluetoothOppManager.cpp
@ -46,6 +46,13 @@ static const uint32_t kUpdateProgressBase = 50 * 1024;
 */
 static const uint32_t kPutRequestHeaderSize = 6;

+/*
+ * The format of the appended header of an PUT request is
+ * [headerId:1][header length:4]
+ * P.S. Length of name header is 4 since unicode is 2 bytes per char.
+ */
+static const uint32_t kPutRequestAppendHeaderSize = 5;
+
 StaticRefPtr<BluetoothOppManager> sBluetoothOppManager;
 static bool sInShutdown = false;
 }
@ -984,6 +991,15 @@ BluetoothOppManager::ClientDataHandler(UnixSocketRawData* aMessage)
    mRemoteMaxPacketLength =
      (((int)(aMessage->mData[5]) << 8) | aMessage->mData[6]);

+    // The length of file name exceeds maximum length.
+    int fileNameByteLen = (mFileName.Length() + 1) * 2;
+    int headerLen = kPutRequestHeaderSize + kPutRequestAppendHeaderSize;
+    if (fileNameByteLen > mRemoteMaxPacketLength - headerLen) {
+      BT_WARNING("The length of file name is aberrant.");
+      SendDisconnectRequest();
+      return;
+    }
+
    SendPutHeaderRequest(mFileName, mFileLength);
  } else if (mLastCommand == ObexRequestCode::Put) {
    if (mWaitingToSendPutFinal) {
@ -1070,7 +1086,8 @@ BluetoothOppManager::SendPutHeaderRequest(const nsAString& aFileName,
  fileName[len * 2 + 1] = 0x00;

  int index = 3;
-  index += AppendHeaderName(&req[index], (char*)fileName, (len + 1) * 2);
+  index += AppendHeaderName(&req[index], mRemoteMaxPacketLength - index,
+                            (char*)fileName, (len + 1) * 2);
  index += AppendHeaderLength(&req[index], aFileSize);

  SendObexData(req, ObexRequestCode::Put, index);
@ -1083,9 +1100,8 @@ void
 BluetoothOppManager::SendPutRequest(uint8_t* aFileBody,
                                    int aFileBodyLength)
 {
-  int packetLeftSpace = mRemoteMaxPacketLength - kPutRequestHeaderSize;
-
  if (!mConnected) return;
+  int packetLeftSpace = mRemoteMaxPacketLength - kPutRequestHeaderSize;
  if (aFileBodyLength > packetLeftSpace) {
    BT_WARNING("Not allowed such a small MaxPacketLength value");
    return;
@ -1096,11 +1112,11 @@ BluetoothOppManager::SendPutRequest(uint8_t* aFileBody,
  uint8_t* req = new uint8_t[mRemoteMaxPacketLength];

  int index = 3;
-  index += AppendHeaderBody(&req[index], aFileBody, aFileBodyLength);
+  index += AppendHeaderBody(&req[index], mRemoteMaxPacketLength - index,
+                            aFileBody, aFileBodyLength);

  SendObexData(req, ObexRequestCode::Put, index);
  delete [] req;
-
  mSentFileLength += aFileBodyLength;
 }