1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#include <dlfcn.h>
18 #include <gtest/gtest.h>
19 #include <sys/types.h>
20
21 #include <cstdint>
22 #include <cstring>
23
24 #include "osi/include/allocator.h"
25 #include "stack/avdt/avdt_int.h"
26 #include "stack/include/avdt_api.h"
27 #include "stack/test/common/mock_stack_avdt_msg.h"
28 #include "test/common/mock_functions.h"
29 #include "types/raw_address.h"
30
31 class StackAvdtpTest : public ::testing::Test {
32 protected:
33 StackAvdtpTest() = default;
34
35 virtual ~StackAvdtpTest() = default;
36 protected:
37 static AvdtpRcb reg_ctrl_block_;
38 static uint8_t callback_event_;
39 static uint8_t scb_handle_;
40
41 protected:
AvdtConnCallback(uint8_t handle,const RawAddress & bd_addr,uint8_t event,tAVDT_CTRL * p_data,uint8_t scb_index)42 static void AvdtConnCallback(uint8_t handle, const RawAddress& bd_addr,
43 uint8_t event, tAVDT_CTRL* p_data,
44 uint8_t scb_index) {
45 inc_func_call_count(__func__);
46 callback_event_ = event;
47 }
48
StreamCtrlCallback(uint8_t handle,const RawAddress & bd_addr,uint8_t event,tAVDT_CTRL * p_data,uint8_t scb_index)49 static void StreamCtrlCallback(uint8_t handle, const RawAddress& bd_addr,
50 uint8_t event, tAVDT_CTRL* p_data,
51 uint8_t scb_index) {
52 inc_func_call_count(__func__);
53 callback_event_ = event;
54 }
55
AvdtReportCallback(uint8_t handle,AVDT_REPORT_TYPE type,tAVDT_REPORT_DATA * p_data)56 static void AvdtReportCallback(uint8_t handle, AVDT_REPORT_TYPE type,
57 tAVDT_REPORT_DATA* p_data) {
58 inc_func_call_count(__func__);
59 }
60
SetUpTestCase()61 static void SetUpTestCase() {
62 reg_ctrl_block_.ctrl_mtu = 672;
63 reg_ctrl_block_.ret_tout = 4;
64 reg_ctrl_block_.sig_tout = 4;
65 reg_ctrl_block_.idle_tout = 10;
66 reg_ctrl_block_.scb_index = 0;
67 AVDT_Register(®_ctrl_block_, AvdtConnCallback);
68
69 uint8_t peer_id = 1;
70 scb_handle_ = 0;
71 AvdtpStreamConfig avdtp_stream_config{};
72 avdtp_stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
73 avdtp_stream_config.p_avdt_ctrl_cback = StreamCtrlCallback;
74 avdtp_stream_config.p_report_cback = AvdtReportCallback;
75 avdtp_stream_config.tsep = AVDT_TSEP_SNK;
76 // We have to reuse the stream since there is only AVDT_NUM_SEPS *
77 // AVDT_NUM_LINKS
78 ASSERT_EQ(AVDT_CreateStream(peer_id, &scb_handle_, avdtp_stream_config), AVDT_SUCCESS);
79 }
80
TearDownTestCase()81 static void TearDownTestCase() { AVDT_Deregister(); }
82
SetUp()83 void SetUp() override {
84 callback_event_ = AVDT_MAX_EVT + 1;
85 reset_mock_function_count_map();
86 }
87
TearDown()88 void TearDown() override {
89 auto pscb = avdt_scb_by_hdl(scb_handle_);
90 tAVDT_SCB_EVT data;
91 // clean up the SCB state
92 avdt_scb_event(pscb, AVDT_SCB_MSG_ABORT_RSP_EVT, &data);
93 avdt_scb_event(pscb, AVDT_SCB_TC_CLOSE_EVT, &data);
94 ASSERT_EQ(AVDT_RemoveStream(scb_handle_), AVDT_SUCCESS);
95 // fallback to default settings (delay report + sink)
96 pscb->stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
97 pscb->stream_config.tsep = AVDT_TSEP_SNK;
98 }
99 };
100
101 AvdtpRcb StackAvdtpTest::reg_ctrl_block_{};
102 uint8_t StackAvdtpTest::callback_event_ = AVDT_MAX_EVT + 1;
103 uint8_t StackAvdtpTest::scb_handle_ = 0;
104
TEST_F(StackAvdtpTest,test_delay_report_as_accept)105 TEST_F(StackAvdtpTest, test_delay_report_as_accept) {
106 // Get SCB ready to send response
107 auto pscb = avdt_scb_by_hdl(scb_handle_);
108 pscb->in_use = true;
109
110 // Send SetConfig response
111 uint8_t label = 0;
112 uint8_t err_code = 0;
113 uint8_t category = 0;
114
115 mock_avdt_msg_send_cmd_clear_history();
116 mock_avdt_msg_send_rsp_clear_history();
117 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
118
119 // Config response sent
120 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"), 1);
121 ASSERT_EQ(mock_avdt_msg_send_rsp_get_sig_id_at(0), AVDT_SIG_SETCONFIG);
122
123 // Delay report command sent
124 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 1);
125 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
126
127 // Delay report confirmed
128 tAVDT_SCB_EVT data;
129 ASSERT_EQ(get_func_call_count("StreamCtrlCallback"), 0);
130 avdt_scb_hdl_delay_rpt_rsp(pscb, &data);
131 ASSERT_EQ(callback_event_, AVDT_DELAY_REPORT_CFM_EVT);
132 }
133
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_sink)134 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_sink) {
135 // Get SCB ready to send response
136 auto pscb = avdt_scb_by_hdl(scb_handle_);
137 pscb->in_use = true;
138
139 // Change the scb to SRC
140 pscb->stream_config.tsep = AVDT_TSEP_SRC;
141
142 // Send SetConfig response
143 uint8_t label = 0;
144 uint8_t err_code = 0;
145 uint8_t category = 0;
146 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
147 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
148 1); // Config response sent
149 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
150 0); // Delay report command not sent
151 }
152
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_enabled)153 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_enabled) {
154 // Get SCB ready to send response
155 auto pscb = avdt_scb_by_hdl(scb_handle_);
156 pscb->in_use = true;
157
158 // Disable the scb's delay report mask
159 pscb->stream_config.cfg.psc_mask &= ~AVDT_PSC_DELAY_RPT;
160
161 // Send SetConfig response
162 uint8_t label = 0;
163 uint8_t err_code = 0;
164 uint8_t category = 0;
165 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
166 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
167 1); // Config response sent
168 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
169 0); // Delay report command not sent
170 }
171
TEST_F(StackAvdtpTest,test_delay_report_as_init)172 TEST_F(StackAvdtpTest, test_delay_report_as_init) {
173 auto pscb = avdt_scb_by_hdl(scb_handle_);
174 pscb->in_use = true;
175
176 tAVDT_SCB_EVT data;
177
178 // Delay report -> Open command
179 mock_avdt_msg_send_cmd_clear_history();
180 avdt_scb_event(pscb, AVDT_SCB_MSG_SETCONFIG_RSP_EVT, &data);
181 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 2);
182 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
183 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(1), AVDT_SIG_OPEN);
184 }
185
TEST_F(StackAvdtpTest,test_SR_reporting_handler)186 TEST_F(StackAvdtpTest, test_SR_reporting_handler) {
187 constexpr uint8_t sender_report_packet[] = {
188 // Header
189 0x80, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
190 // Sender Info
191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
193 // Report Block #1
194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
196 uint16_t packet_length = sizeof(sender_report_packet);
197 tAVDT_SCB_EVT data;
198 auto pscb = avdt_scb_by_hdl(scb_handle_);
199
200 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
201 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
202 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
203 avdt_scb_hdl_pkt(pscb, &data);
204 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
205
206 // no payload
207 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
208 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
209 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
210 avdt_scb_hdl_pkt(pscb, &data);
211 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
212
213 // only reporting header
214 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
215 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
216 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
217 avdt_scb_hdl_pkt(pscb, &data);
218 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
219
220 // reporting header + sender info
221 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
222 *data.p_pkt = {.len = 28, .layer_specific = AVDT_CHAN_REPORT};
223 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
224 avdt_scb_hdl_pkt(pscb, &data);
225 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
226 }
227
TEST_F(StackAvdtpTest,test_RR_reporting_handler)228 TEST_F(StackAvdtpTest, test_RR_reporting_handler) {
229 constexpr uint8_t receiver_report_packet[] = {
230 // Header
231 0x80, 0xc9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232 // Report Block #1
233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
235 uint16_t packet_length = sizeof(receiver_report_packet);
236 tAVDT_SCB_EVT data;
237 auto pscb = avdt_scb_by_hdl(scb_handle_);
238
239 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
240 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
241 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
242 avdt_scb_hdl_pkt(pscb, &data);
243 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
244
245 // no payload
246 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
247 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
248 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
249 avdt_scb_hdl_pkt(pscb, &data);
250 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
251
252 // only reporting header
253 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
254 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
255 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
256 avdt_scb_hdl_pkt(pscb, &data);
257 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
258
259 // reporting header + report block
260 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
261 *data.p_pkt = {.len = 32, .layer_specific = AVDT_CHAN_REPORT};
262 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
263 avdt_scb_hdl_pkt(pscb, &data);
264 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
265 }
266
TEST_F(StackAvdtpTest,test_SDES_reporting_handler)267 TEST_F(StackAvdtpTest, test_SDES_reporting_handler) {
268 constexpr uint8_t source_description_packet[] = {// Header
269 0x80, 0xca, 0x00, 0x00,
270 // Chunk #1
271 0x00, 0x00, 0x00, 0x00,
272 // SDES Item (CNAME=1)
273 0x01, 0x05, 0x00, 0x00, 0x00,
274 0x00, 0x00, 0x00};
275 uint16_t packet_length = sizeof(source_description_packet);
276 tAVDT_SCB_EVT data;
277 auto pscb = avdt_scb_by_hdl(scb_handle_);
278
279 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
280 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
281 memcpy(data.p_pkt->data, source_description_packet, packet_length);
282 avdt_scb_hdl_pkt(pscb, &data);
283 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
284
285 // no payload
286 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
287 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
288 memcpy(data.p_pkt->data, source_description_packet, packet_length);
289 avdt_scb_hdl_pkt(pscb, &data);
290 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
291
292 // only reporting header
293 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
294 *data.p_pkt = {.len = 4, .layer_specific = AVDT_CHAN_REPORT};
295 memcpy(data.p_pkt->data, source_description_packet, packet_length);
296 avdt_scb_hdl_pkt(pscb, &data);
297 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
298
299 // SDES Item (CNAME) with empty value
300 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
301 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
302 memcpy(data.p_pkt->data, source_description_packet, packet_length);
303 avdt_scb_hdl_pkt(pscb, &data);
304 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
305
306 // SDES Item (not CNAME) which is not supported
307 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
308 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
309 memcpy(data.p_pkt->data, source_description_packet, packet_length);
310 *(data.p_pkt->data + 8) = 0x02;
311 *(data.p_pkt->data + 9) = 0x00;
312 avdt_scb_hdl_pkt(pscb, &data);
313 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
314 }
315
316 void avdt_scb_hdl_pkt_no_frag(AvdtpScb* p_scb, tAVDT_SCB_EVT* p_data);
317 // regression tests for b/258057241 (CVE-2022-40503)
318 // The regression tests are divided into 2 tests:
319 // avdt_scb_hdl_pkt_no_frag_regression_test1 verifies that
320 // OOB access resulted from integer overflow
321 // from the ex_len field in the packet is properly handled
322
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test0)323 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test0) {
324 const uint16_t extra_size = 0;
325 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
326 ASSERT_NE(p_pkt, nullptr);
327 tAVDT_SCB_EVT evt_data = {
328 .p_pkt = p_pkt,
329 };
330 p_pkt->len = 0;
331
332 // get the stream control block
333 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
334 ASSERT_NE(pscb, nullptr);
335
336 // any memory issue would be caught be the address sanitizer
337 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
338
339 // here we would also assume that p_pkt would have been freed
340 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
341 // thus vt_data.p_pkt will be set to nullptr
342 ASSERT_EQ(evt_data.p_pkt, nullptr);
343 }
344
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test1)345 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test1) {
346 const uint16_t extra_size = 100;
347 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
348 ASSERT_NE(p_pkt, nullptr);
349 tAVDT_SCB_EVT evt_data = {
350 .p_pkt = p_pkt,
351 };
352
353 // setup p_pkt
354 // no overflow here
355 p_pkt->len = extra_size;
356 p_pkt->offset = 0;
357
358 uint8_t* p = (uint8_t*)(p_pkt + 1);
359 // fill the p_pkt with 0xff to
360 // make ex_len * 4 overflow
361 memset(p, 0xff, extra_size);
362
363 // get the stream control block
364 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
365 ASSERT_NE(pscb, nullptr);
366
367 // any memory issue would be caught be the address sanitizer
368 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
369
370 // here we would also assume that p_pkt would have been freed
371 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
372 // thus vt_data.p_pkt will be set to nullptr
373 ASSERT_EQ(evt_data.p_pkt, nullptr);
374 }
375
376 // avdt_scb_hdl_pkt_no_frag_regression_test2 verifies that
377 // OOB access resulted from integer overflow
378 // from the pad_len field in the packet is properly handled
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test2)379 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test2) {
380 const uint16_t extra_size = 100;
381 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
382 ASSERT_NE(p_pkt, nullptr);
383 tAVDT_SCB_EVT evt_data = {
384 .p_pkt = p_pkt,
385 };
386
387 // setup p_pkt
388 // no overflow here
389 p_pkt->len = extra_size;
390 p_pkt->offset = 0;
391
392 uint8_t* p = (uint8_t*)(p_pkt + 1);
393 // zero out all bytes first
394 memset(p, 0, extra_size);
395 // setup o_v, o_p, o_x, o_cc
396 *p = 0xff;
397 // set the pad_len to be 0xff
398 p[extra_size - 1] = 0xff;
399
400 // get the stream control block
401 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
402 ASSERT_NE(pscb, nullptr);
403
404 // any memory issue would be caught be the address sanitizer
405 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
406
407 // here we would also assume that p_pkt would have been freed
408 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
409 // thus vt_data.p_pkt will be set to nullptr
410 ASSERT_EQ(evt_data.p_pkt, nullptr);
411 }
412
413 // avdt_scb_hdl_pkt_no_frag_regression_test3 verifies that
414 // zero length packets are filtered out
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test3)415 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test3) {
416 // 12 btyes of minimal + 15 * oc (4 bytes each) + 4 btye to ex_len
417 const uint16_t extra_size = 12 + 15 * 4 + 4;
418 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
419 ASSERT_NE(p_pkt, nullptr);
420 tAVDT_SCB_EVT evt_data = {
421 .p_pkt = p_pkt,
422 };
423
424 // setup p_pkt
425 // no overflow here
426 p_pkt->len = extra_size;
427 p_pkt->offset = 0;
428
429 uint8_t* p = (uint8_t*)(p_pkt + 1);
430 // fill the p_pkt with 0 to
431 // make ex_len * 4 overflow
432 memset(p, 0, extra_size);
433 // setup
434 // o_v = 0b10
435 // o_p = 0b01 // with padding
436 // o_x = 0b10
437 // o_cc = 0b1111
438 *p = 0xff;
439
440 // get the stream control block
441 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
442 ASSERT_NE(pscb, nullptr);
443
444 // any memory issue would be caught be the address sanitizer
445 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
446
447 // here we would also assume that p_pkt would have been freed
448 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
449 // thus vt_data.p_pkt will be set to nullptr
450 ASSERT_EQ(evt_data.p_pkt, nullptr);
451 }
452