diff options
| author | Brian Delwiche <delwiche@google.com> | 2023-03-01 00:22:59 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-09-01 12:06:48 +0000 |
| commit | 37bb6d6ebb03d2df8ef3ccb0119be1f04ded7eb1 (patch) | |
| tree | 436fcc7e4e71a3b437b0d8706395f37f3eb2143c | |
| parent | 83072e7ea62f10112bab31143f6a7f5c1ba78a37 (diff) | |
Fix potential abort in btu_av_act.cc
Partner analysis shows that bta_av_rc_msg does not respect handling
established for a null browse packet, instead dispatching the null
pointer to bta_av_rc_free_browse_msg. Strictly speaking this does
not cause a UAF, as osi_free_and_reset will find the null and abort,
but it will lead to improper program termination.
Handle the case instead.
Bug: 269253349
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d3ee136851de30261e56c62fbb488541dc564b94)
Merged-In: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d
Change-Id: I14dc4910476c733b246bcf7ff292afe9b7c0cc3d
| -rw-r--r-- | system/bta/av/bta_av_act.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/system/bta/av/bta_av_act.cc b/system/bta/av/bta_av_act.cc index be199a4da3..357ca0ecf6 100644 --- a/system/bta/av/bta_av_act.cc +++ b/system/bta/av/bta_av_act.cc @@ -1001,7 +1001,10 @@ void bta_av_rc_msg(tBTA_AV_CB* p_cb, tBTA_AV_DATA* p_data) { av.remote_cmd.rc_handle = p_data->rc_msg.handle; (*p_cb->p_cback)(evt, &av); /* If browsing message, then free the browse message buffer */ - bta_av_rc_free_browse_msg(p_cb, p_data); + if (p_data->rc_msg.opcode == AVRC_OP_BROWSE && + p_data->rc_msg.msg.browse.p_browse_pkt != NULL) { + bta_av_rc_free_browse_msg(p_cb, p_data); + } } } |