OBEX : Handle Negative index Exception

Use case: 1. Send file to remote device. 2. Wait for accepting the file transfer on remote device. Use Specific remote device(that sends some optional headers). Failure: No file acceptance popup seen on remote device. Root cause: Crash in com.android.bluetooth. FATAL EXCEPTION: BtOpp ClientThread Process: com.android.bluetooth, PID: 22527 java.lang.NegativeArraySizeException: -3 at javax.obex.ObexHelper.updateHeaderSet(ObexHelper.java:216) at javax.obex.ClientSession.sendRequest(ClientSession.java:568) at javax.obex.ClientSession.connect(ClientSession.java:148) at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread. connect(BluetoothOppObexClientSession.java:317) at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread. run(BluetoothOppObexClientSession.java:231) am_crash( 1402): [22527,0,com.android.bluetooth,818462277,java.lang. NegativeArraySizeException,-3,ObexHelper.java,216] Fix: Add length check before allocate memory and break loop if length is less than expected header length as per OBEX Specification to prevent crash. Test: Verified that OPP Tx and Rx works successfully multiple times. Bug: 35588578 Change-Id: I805e6b1d51f69645d5132c3c18db2e752d04b096
author: Hemant Gupta <hemantg@codeaurora.org> 2016-12-28 12:10:47 +0530
committer: Myles Watson <mylesgw@google.com> 2017-11-09 20:06:51 +0000
commit: 5e04c8bbc1f0db403502e9dcbd1218adb9e98825 (patch)
tree: 139958b6506ad1c2958636aaf59841fc5400cd09 /obex
parent: bbaa19cad3227eb0262beb5555db54902ef17821 (diff)
download: base-5e04c8bbc1f0db403502e9dcbd1218adb9e98825.tar.gz
1 files changed, 12 insertions, 6 deletions
diff --git a/obex/javax/obex/ObexHelper.java b/obex/javax/obex/ObexHelper.java
index fa50943343e9..478297f2a3c9 100644
--- a/obex/javax/obex/ObexHelper.java
+++ b/obex/javax/obex/ObexHelper.java
@@ -80,6 +80,9 @@ public final class ObexHelper {
     // The minimum allowed max packet size is 255 according to the OBEX specification
     public static final int LOWER_LIMIT_MAX_PACKET_SIZE = 255;
 
+    // The length of OBEX Byte Sequency Header Id according to the OBEX specification
+    public static final int OBEX_BYTE_SEQ_HEADER_LEN = 0x03;
+
     /**
      * Temporary workaround to be able to push files to Windows 7.
      * TODO: Should be removed as soon as Microsoft updates their driver.
@@ -205,12 +208,15 @@ public final class ObexHelper {
                     case 0x40:
                         boolean trimTail = true;
                         index++;
-                        length = 0xFF & headerArray[index];
-                        length = length << 8;
-                        index++;
-                        length += 0xFF & headerArray[index];
-                        length -= 3;
-                        index++;
+                        length = ((0xFF & headerArray[index]) << 8) +
+                                 (0xFF & headerArray[index + 1]);
+                        index += 2;
+                        if (length <= OBEX_BYTE_SEQ_HEADER_LEN) {
+                            Log.e(TAG, "Remote sent an OBEX packet with " +
+                                  "incorrect header length = " + length);
+                            break;
+                        }
+                        length -= OBEX_BYTE_SEQ_HEADER_LEN;
                         value = new byte[length];
                         System.arraycopy(headerArray, index, value, 0, length);
                         if (length == 0 || (length > 0 && (value[length - 1] != 0))) {
author	Hemant Gupta <hemantg@codeaurora.org>	2016-12-28 12:10:47 +0530
committer	Myles Watson <mylesgw@google.com>	2017-11-09 20:06:51 +0000
commit	5e04c8bbc1f0db403502e9dcbd1218adb9e98825 (patch)
tree	139958b6506ad1c2958636aaf59841fc5400cd09 /obex
parent	bbaa19cad3227eb0262beb5555db54902ef17821 (diff)
download	base-5e04c8bbc1f0db403502e9dcbd1218adb9e98825.tar.gz