Closed Bug 1166587 Opened 5 years ago Closed 5 years ago

Check OBEX packet length before accessing it


(Firefox OS Graveyard :: Bluetooth, defect)

Gonk (Firefox OS)
Not set


(blocking-b2g:2.2r+, firefox41 fixed, b2g-v2.2r fixed, b2g-master fixed)

blocking-b2g 2.2r+
Tracking Status
firefox41 --- fixed
b2g-v2.2r --- fixed
b2g-master --- fixed


(Reporter: ben.tian, Assigned: ben.tian)




(3 files, 1 obsolete file)

+++ This bug was initially created as a clone of Bug #1162902 +++

Bug #1162902 comment 7 mentions OBEX packet length problem we should check for both OPP and PBAP managers.

Create this bug to fix them:
- ensure received packet length smaller than max packet length
- ensure received packet length equals to or larger than we expect for different opcodes.
Assignee: nobody → btian
Attachment #8607952 - Flags: review?(shuang)
Comment on attachment 8607952 [details] [diff] [review]
Patch 1 (v1): Check OBEX packet length before accessing it

Review of attachment 8607952 [details] [diff] [review]:

The code looks good to me. Thanks, Ben!
Attachment #8607952 - Flags: review?(shuang) → review+
try fails to build on ICS emulator for lack of BlueZ OPP manger change. I'll add BlueZ OPP change into the patch.
Closed: 5 years ago
Resolution: --- → FIXED
Hi Ben,
According to Bug #1162902 comment 7, the patch prevents the invalid memory access.
Since Bug 1162902 had been landed to 2.2r, we might consider landing this patch to 2.2r too.
What do you think ?
Flags: needinfo?(btian)
Set 2.2r+ blocker per comment 7.
blocking-b2g: --- → 2.2r+
Flags: needinfo?(btian)
Rebased patch for branch 2.2r.
Carry r+ from previous patch.
Attachment #8677436 - Flags: review+
Second rebased patch for 2.2r, for the related function call in BluetoothMapSmsManager.cpp.

Hi Shawn,
Since I am currently not familiar with MAP profile,
could you help to review for this slight modification?

Attachment #8677438 - Flags: review?(shuang)
You need to log in before you can comment on or make changes to this bug.