int bt_avdtp_l2cap_recv(struct bt_l2cap_chan *chan, struct net_buf *buf)
{
struct bt_avdtp_single_sig_hdr *hdr;
struct bt_avdtp *session = AVDTP_CHAN(chan);
uint8_t i, msgtype, pack_type, sigid, tid;
/* Check the buffer length is not smaller than hdr */
if (buf->len < sizeof(*hdr)) {
LOG_ERR("Recvd Wrong AVDTP Header");
return 0;
}
hdr = net_buf_pull_mem(buf, sizeof(*hdr));
pack_type = AVDTP_GET_PKT_TYPE(hdr->hdr);
msgtype = AVDTP_GET_MSG_TYPE(hdr->hdr);
sigid = AVDTP_GET_SIG_ID(hdr->signal_id);
tid = AVDTP_GET_TR_ID(hdr->hdr);
LOG_DBG("pack_type[0x%02x] msg_type[0x%02x] sig_id[0x%02x] tid[0x%02x]",
pack_type, msgtype, sigid, tid);
/* TODO: only support single packet now */
if (pack_type != BT_AVDTP_PACKET_TYPE_SINGLE) {
if (pack_type == BT_AVDTP_PACKET_TYPE_START) {
struct net_buf *rsp_buf;
int err;
sigid = net_buf_pull_u8(buf); // <-- Pulling the buf without size check
There should be a length check before retrieving the remaining body.
Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.
ekleezg Reporter
Summary
No proper validation of the length of user input in
bt_avdtp_l2cap_recvinzephyr/subsys/bluetooth/host/classic/avdtp.c.Details
There is no length check before pulling data from
net_buf.bt_avdtp_l2cap_recv:There should be a length check before retrieving the remaining body.
Impact
Result of exploitation could lead to instability (i.e., crash) or denial of service attacks.
Patches
main: #77969
For more information
If you have any questions or comments about this advisory:
embargo: 2024-11-22