This repository has been archived by the owner on Jan 5, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path0001-BACKPORT-Don-t-use-Address-after-it-was-deleted.patch
121 lines (109 loc) · 4.25 KB
/
0001-BACKPORT-Don-t-use-Address-after-it-was-deleted.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
From 4b861db6dc74a88f6983261e6582afb8d27ae6e7 Mon Sep 17 00:00:00 2001
From: Jakub Pawlowski <[email protected]>
Date: Wed, 11 Jul 2018 02:57:07 -0700
Subject: [PATCH] BACKPORT: Don't use Address after it was deleted
Bug: 110216173
Change-Id: Id3364cf53153eafed478546d7347ed1673217e91
(cherry picked from commit 9930f6f4e14e64966869b119994126283d645fd0)
CVE-2018-9483
---
bta/dm/bta_dm_act.c | 10 +++++++---
stack/btm/btm_dev.c | 25 +++++++++++++------------
stack/include/btm_api.h | 19 ++++++++++---------
3 files changed, 30 insertions(+), 24 deletions(-)
diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index 981d0462..1e7ecf30 100644
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -4132,12 +4132,16 @@ static void bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr)
}
else
{
- BTM_SecDeleteDevice (remote_bd_addr);
+ // remote_bd_addr comes from security record, which is removed in
+ // BTM_SecDeleteDevice.
+ BD_ADDR addr_copy;
+ memcpy(addr_copy, remote_bd_addr, BD_ADDR_LEN);
+ BTM_SecDeleteDevice(addr_copy);
#if (BLE_INCLUDED == TRUE && BTA_GATT_INCLUDED == TRUE)
/* need to remove all pending background connection */
- BTA_GATTC_CancelOpen(0, remote_bd_addr, FALSE);
+ BTA_GATTC_CancelOpen(0, addr_copy, FALSE);
/* remove all cached GATT information */
- BTA_GATTC_Refresh(remote_bd_addr);
+ BTA_GATTC_Refresh(addr_copy);
#endif
}
}
diff --git a/stack/btm/btm_dev.c b/stack/btm/btm_dev.c
index 9f83936d..1b7c7d88 100644
--- a/stack/btm/btm_dev.c
+++ b/stack/btm/btm_dev.c
@@ -163,17 +163,16 @@ BOOLEAN BTM_SecAddDevice (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name,
}
-/*******************************************************************************
-**
-** Function BTM_SecDeleteDevice
-**
-** Description Free resources associated with the device.
-**
-** Parameters: bd_addr - BD address of the peer
-**
-** Returns TRUE if removed OK, FALSE if not found or ACL link is active
-**
-*******************************************************************************/
+/** Free resources associated with the device associated with |bd_addr| address.
+ *
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
+ *
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
BOOLEAN BTM_SecDeleteDevice (BD_ADDR bd_addr)
{
tBTM_SEC_DEV_REC *p_dev_rec;
@@ -187,13 +186,15 @@ BOOLEAN BTM_SecDeleteDevice (BD_ADDR bd_addr)
if ((p_dev_rec = btm_find_dev (bd_addr)) == NULL)
return(FALSE);
+ BD_ADDR bda;
+ memcpy(bda, p_dev_rec->bd_addr, BD_ADDR_LEN);
#if BLE_INCLUDED == TRUE && BLE_PRIVACY_SPT == TRUE
btm_ble_vendor_irk_list_remove_dev(p_dev_rec);
#endif
btm_sec_free_dev (p_dev_rec);
/* Tell controller to get rid of the link key if it has one stored */
- BTM_DeleteStoredLinkKey (bd_addr, NULL);
+ BTM_DeleteStoredLinkKey (&bda, NULL);
return(TRUE);
}
diff --git a/stack/include/btm_api.h b/stack/include/btm_api.h
index 20e7bbe0..1bb5a79e 100644
--- a/stack/include/btm_api.h
+++ b/stack/include/btm_api.h
@@ -3946,15 +3946,16 @@ BTM_API extern tBTM_STATUS BTM_SetWBSCodec (tBTM_SCO_CODEC_TYPE codec_type);
UINT8 pin_len);
-/*******************************************************************************
-**
-** Function BTM_SecDeleteDevice
-**
-** Description Free resources associated with the device.
-**
-** Returns TRUE if rmoved OK, FALSE if not found
-**
-*******************************************************************************/
+/** Free resources associated with the device associated with |bd_addr| address.
+ *
+ * *** WARNING ***
+ * tBTM_SEC_DEV_REC associated with bd_addr becomes invalid after this function
+ * is called, also any of it's fields. i.e. if you use p_dev_rec->bd_addr, it is
+ * no longer valid!
+ * *** WARNING ***
+ *
+ * Returns true if removed OK, false if not found or ACL link is active.
+ */
BTM_API extern BOOLEAN BTM_SecDeleteDevice (BD_ADDR bd_addr);
--
2.11.0