Mirrors/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-06-04 20:26:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed potential OOB in AVRCP vendor command composition

Browse Source
This commit is contained in:
Jin Cheng
2025-10-09 14:18:40 +08:00
committed by BOT
parent 1904fd4d9c
commit 565fa98d0c
1 changed files with 17 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
components/bt/host/bluedroid/stack/avrc/avrc_opt.c
View File

@@ -48,17 +48,28 @@
******************************************************************************/
static BT_HDR *avrc_vendor_msg(tAVRC_MSG_VENDOR *p_msg)
{
BT_HDR *p_cmd;
BT_HDR *p_cmd = NULL;
UINT8 *p_data;
assert(p_msg != NULL);
/*
A vendor dependent command consists of at least of:
- A BT_HDR, plus
- AVCT_MSG_OFFSET, plus
- 3 bytes for ctype, subunit_type and op_vendor, plus
- 3 bytes for company_id
*/
#define AVRC_MIN_VENDOR_CMD_LEN (BT_HDR_SIZE + AVCT_MSG_OFFSET + AVRC_VENDOR_HDR_SIZE)
if (!p_msg) {
return NULL;
}
#if AVRC_METADATA_INCLUDED == TRUE
assert(AVRC_META_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
if ((p_cmd = (BT_HDR *) osi_malloc(AVRC_META_CMD_BUF_SIZE)) != NULL)
if ((AVRC_META_CMD_BUF_SIZE > AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len) &&
((p_cmd = (BT_HDR *) osi_malloc(AVRC_META_CMD_BUF_SIZE)) != NULL))
#else
assert(AVRC_CMD_BUF_SIZE > (AVRC_MIN_CMD_LEN + p_msg->vendor_len));
if ((p_cmd = (BT_HDR *) osi_malloc(AVRC_CMD_BUF_SIZE)) != NULL)
if ((AVRC_CMD_BUF_SIZE > (AVRC_MIN_VENDOR_CMD_LEN + p_msg->vendor_len)) &&
(p_cmd = (BT_HDR *) osi_malloc(AVRC_CMD_BUF_SIZE)) != NULL)
#endif
{
p_cmd->offset = AVCT_MSG_OFFSET;