OBEX : Handle Negative index Exception

Use case: 1. Send file to remote device. 2. Wait for accepting the file transfer on remote device. Use Specific remote device(that sends some optional headers). Failure: No file acceptance popup seen on remote device. Root cause: Crash in com.android.bluetooth. FATAL EXCEPTION: BtOpp ClientThread Process: com.android.bluetooth, PID: 22527 java.lang.NegativeArraySizeException: -3 at javax.obex.ObexHelper.updateHeaderSet(ObexHelper.java:216) at javax.obex.ClientSession.sendRequest(ClientSession.java:568) at javax.obex.ClientSession.connect(ClientSession.java:148) at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread. connect(BluetoothOppObexClientSession.java:317) at com.android.bluetooth.opp.BluetoothOppObexClientSession$ClientThread. run(BluetoothOppObexClientSession.java:231) am_crash( 1402): [22527,0,com.android.bluetooth,818462277,java.lang. NegativeArraySizeException,-3,ObexHelper.java,216] Fix: Add length check before allocate memory and break loop if length is less than expected header length as per OBEX Specification to prevent crash. Test: Verified that OPP Tx and Rx works successfully multiple times. Bug: 35588578 Change-Id: I805e6b1d51f69645d5132c3c18db2e752d04b096
2016-12-28 12:10:47 +05:30
parent bbaa19cad3
commit 5e04c8bbc1
1 changed files with 12 additions and 6 deletions
--- a/obex/javax/obex/ObexHelper.java
+++ b/obex/javax/obex/ObexHelper.java
@@ -80,6 +80,9 @@ public final class ObexHelper {
    // The minimum allowed max packet size is 255 according to the OBEX specification
    public static final int LOWER_LIMIT_MAX_PACKET_SIZE = 255;

+    // The length of OBEX Byte Sequency Header Id according to the OBEX specification
+    public static final int OBEX_BYTE_SEQ_HEADER_LEN = 0x03;
+
    /**
     * Temporary workaround to be able to push files to Windows 7.
     * TODO: Should be removed as soon as Microsoft updates their driver.
@@ -205,12 +208,15 @@ public final class ObexHelper {
                    case 0x40:
                        boolean trimTail = true;
                        index++;
-                        length = 0xFF & headerArray[index];
-                        length = length << 8;
-                        index++;
-                        length += 0xFF & headerArray[index];
-                        length -= 3;
-                        index++;
+                        length = ((0xFF & headerArray[index]) << 8) +
+                                 (0xFF & headerArray[index + 1]);
+                        index += 2;
+                        if (length <= OBEX_BYTE_SEQ_HEADER_LEN) {
+                            Log.e(TAG, "Remote sent an OBEX packet with " +
+                                  "incorrect header length = " + length);
+                            break;
+                        }
+                        length -= OBEX_BYTE_SEQ_HEADER_LEN;
                        value = new byte[length];
                        System.arraycopy(headerArray, index, value, 0, length);
                        if (length == 0 || (length > 0 && (value[length - 1] != 0))) {