From 5e04c8bbc1f0db403502e9dcbd1218adb9e98825 Mon Sep 17 00:00:00 2001
From: Hemant Gupta <hemantg@codeaurora.org>
Date: Wed, 28 Dec 2016 12:10:47 +0530
Subject: OBEX : Handle Negative index Exception

Use case:
1. Send file to remote device.
2. Wait for accepting the file transfer on remote device.
   Use Specific remote device(that sends some
     optional headers).

Failure:
No file acceptance popup seen on remote device.

Root cause:
Crash in com.android.bluetooth.

 FATAL EXCEPTION: BtOpp ClientThread
 Process: com.android.bluetooth, PID: 22527
 java.lang.NegativeArraySizeException: -3
 at javax.obex.ObexHelper.updateHeaderSet(ObexHelper.java:216)
 at javax.obex.ClientSession.sendRequest(ClientSession.java:568)
 at javax.obex.ClientSession.connect(ClientSession.java:148)
 at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
   connect(BluetoothOppObexClientSession.java:317)
 at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread.
   run(BluetoothOppObexClientSession.java:231)
 am_crash( 1402): [22527,0,com.android.bluetooth,818462277,java.lang.
   NegativeArraySizeException,-3,ObexHelper.java,216]

Fix:
Add length check before allocate memory and break loop if length is less than
expected header length as per OBEX Specification  to prevent crash.

Test: Verified that OPP Tx and Rx works successfully multiple times.

Bug: 35588578
Change-Id: I805e6b1d51f69645d5132c3c18db2e752d04b096
---
 obex/javax/obex/ObexHelper.java | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'obex')

diff --git a/obex/javax/obex/ObexHelper.java b/obex/javax/obex/ObexHelper.java
index fa50943343e9..478297f2a3c9 100644
--- a/obex/javax/obex/ObexHelper.java
+++ b/obex/javax/obex/ObexHelper.java
@@ -80,6 +80,9 @@ public final class ObexHelper {
     // The minimum allowed max packet size is 255 according to the OBEX specification
     public static final int LOWER_LIMIT_MAX_PACKET_SIZE = 255;
 
+    // The length of OBEX Byte Sequency Header Id according to the OBEX specification
+    public static final int OBEX_BYTE_SEQ_HEADER_LEN = 0x03;
+
     /**
      * Temporary workaround to be able to push files to Windows 7.
      * TODO: Should be removed as soon as Microsoft updates their driver.
@@ -205,12 +208,15 @@ public final class ObexHelper {
                     case 0x40:
                         boolean trimTail = true;
                         index++;
-                        length = 0xFF & headerArray[index];
-                        length = length << 8;
-                        index++;
-                        length += 0xFF & headerArray[index];
-                        length -= 3;
-                        index++;
+                        length = ((0xFF & headerArray[index]) << 8) +
+                                 (0xFF & headerArray[index + 1]);
+                        index += 2;
+                        if (length <= OBEX_BYTE_SEQ_HEADER_LEN) {
+                            Log.e(TAG, "Remote sent an OBEX packet with " +
+                                  "incorrect header length = " + length);
+                            break;
+                        }
+                        length -= OBEX_BYTE_SEQ_HEADER_LEN;
                         value = new byte[length];
                         System.arraycopy(headerArray, index, value, 0, length);
                         if (length == 0 || (length > 0 && (value[length - 1] != 0))) {
-- 
cgit v1.2.3