diff options
author | Hemant Gupta <hemantg@codeaurora.org> | 2016-12-28 12:10:47 +0530 |
---|---|---|
committer | Myles Watson <mylesgw@google.com> | 2017-11-09 20:06:51 +0000 |
commit | 5e04c8bbc1f0db403502e9dcbd1218adb9e98825 (patch) | |
tree | 139958b6506ad1c2958636aaf59841fc5400cd09 /obex | |
parent | bbaa19cad3227eb0262beb5555db54902ef17821 (diff) | |
download | base-5e04c8bbc1f0db403502e9dcbd1218adb9e98825.tar.gz |
OBEX : Handle Negative index Exception
Use case:
1. Send file to remote device.
2. Wait for accepting the file transfer on remote device.
Use Specific remote device(that sends some
optional headers).
Failure:
No file acceptance popup seen on remote device.
Root cause:
Crash in com.android.bluetooth.
FATAL EXCEPTION: BtOpp ClientThread
Process: com.android.bluetooth, PID: 22527
java.lang.NegativeArraySizeException: -3
at javax.obex.ObexHelper.updateHeaderSet(ObexHelper.java:216)
at javax.obex.ClientSession.sendRequest(ClientSession.java:568)
at javax.obex.ClientSession.connect(ClientSession.java:148)
at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
connect(BluetoothOppObexClientSession.java:317)
at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
run(BluetoothOppObexClientSession.java:231)
am_crash( 1402): [22527,0,com.android.bluetooth,818462277,java.lang.
NegativeArraySizeException,-3,ObexHelper.java,216]
Fix:
Add length check before allocate memory and break loop if length is less than
expected header length as per OBEX Specification to prevent crash.
Test: Verified that OPP Tx and Rx works successfully multiple times.
Bug: 35588578
Change-Id: I805e6b1d51f69645d5132c3c18db2e752d04b096
Diffstat (limited to 'obex')
-rw-r--r-- | obex/javax/obex/ObexHelper.java | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/obex/javax/obex/ObexHelper.java b/obex/javax/obex/ObexHelper.java index fa50943343e9..478297f2a3c9 100644 --- a/obex/javax/obex/ObexHelper.java +++ b/obex/javax/obex/ObexHelper.java @@ -80,6 +80,9 @@ public final class ObexHelper { // The minimum allowed max packet size is 255 according to the OBEX specification public static final int LOWER_LIMIT_MAX_PACKET_SIZE = 255; + // The length of OBEX Byte Sequency Header Id according to the OBEX specification + public static final int OBEX_BYTE_SEQ_HEADER_LEN = 0x03; + /** * Temporary workaround to be able to push files to Windows 7. * TODO: Should be removed as soon as Microsoft updates their driver. @@ -205,12 +208,15 @@ public final class ObexHelper { case 0x40: boolean trimTail = true; index++; - length = 0xFF & headerArray[index]; - length = length << 8; - index++; - length += 0xFF & headerArray[index]; - length -= 3; - index++; + length = ((0xFF & headerArray[index]) << 8) + + (0xFF & headerArray[index + 1]); + index += 2; + if (length <= OBEX_BYTE_SEQ_HEADER_LEN) { + Log.e(TAG, "Remote sent an OBEX packet with " + + "incorrect header length = " + length); + break; + } + length -= OBEX_BYTE_SEQ_HEADER_LEN; value = new byte[length]; System.arraycopy(headerArray, index, value, 0, length); if (length == 0 || (length > 0 && (value[length - 1] != 0))) { |