1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // #include <dlfcn.h>
18 #include <gtest/gtest.h>
19 #include <sys/types.h>
20
21 #include <cstdint>
22 #include <cstring>
23
24 #include "osi/include/allocator.h"
25 #include "stack/avdt/avdt_int.h"
26 #include "stack/include/avdt_api.h"
27 #include "stack/test/common/mock_stack_avdt_msg.h"
28 #include "test/common/mock_functions.h"
29 #include "types/raw_address.h"
30
31 class StackAvdtpTest : public ::testing::Test {
32 protected:
33 StackAvdtpTest() = default;
34
35 virtual ~StackAvdtpTest() = default;
36
37 protected:
38 static AvdtpRcb reg_ctrl_block_;
39 static uint8_t callback_event_;
40 static uint8_t scb_handle_;
41
42 protected:
AvdtConnCallback(uint8_t,const RawAddress &,uint8_t event,tAVDT_CTRL *,uint8_t)43 static void AvdtConnCallback(uint8_t /*handle*/, const RawAddress& /*bd_addr*/, uint8_t event,
44 tAVDT_CTRL* /*p_data*/, uint8_t /*scb_index*/) {
45 inc_func_call_count(__func__);
46 callback_event_ = event;
47 }
48
StreamCtrlCallback(uint8_t,const RawAddress &,uint8_t event,tAVDT_CTRL *,uint8_t)49 static void StreamCtrlCallback(uint8_t /*handle*/, const RawAddress& /*bd_addr*/, uint8_t event,
50 tAVDT_CTRL* /*p_data*/, uint8_t /*scb_index*/) {
51 inc_func_call_count(__func__);
52 callback_event_ = event;
53 }
54
AvdtReportCallback(uint8_t,AVDT_REPORT_TYPE,tAVDT_REPORT_DATA *)55 static void AvdtReportCallback(uint8_t /*handle*/, AVDT_REPORT_TYPE /*type*/,
56 tAVDT_REPORT_DATA* /*p_data*/) {
57 inc_func_call_count(__func__);
58 }
59
SetUpTestCase()60 static void SetUpTestCase() {
61 reg_ctrl_block_.ctrl_mtu = 672;
62 reg_ctrl_block_.ret_tout = 4;
63 reg_ctrl_block_.sig_tout = 4;
64 reg_ctrl_block_.idle_tout = 10;
65 reg_ctrl_block_.scb_index = 0;
66 AVDT_Register(®_ctrl_block_, AvdtConnCallback);
67
68 uint8_t peer_id = 1;
69 scb_handle_ = 0;
70 AvdtpStreamConfig avdtp_stream_config{};
71 avdtp_stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
72 avdtp_stream_config.p_avdt_ctrl_cback = StreamCtrlCallback;
73 avdtp_stream_config.p_report_cback = AvdtReportCallback;
74 avdtp_stream_config.tsep = AVDT_TSEP_SNK;
75 // We have to reuse the stream since there is only AVDT_NUM_SEPS *
76 // AVDT_NUM_LINKS
77 ASSERT_EQ(AVDT_CreateStream(peer_id, &scb_handle_, avdtp_stream_config), AVDT_SUCCESS);
78 }
79
TearDownTestCase()80 static void TearDownTestCase() { AVDT_Deregister(); }
81
SetUp()82 void SetUp() override {
83 callback_event_ = AVDT_MAX_EVT + 1;
84 reset_mock_function_count_map();
85 }
86
TearDown()87 void TearDown() override {
88 auto pscb = avdt_scb_by_hdl(scb_handle_);
89 tAVDT_SCB_EVT data;
90 // clean up the SCB state
91 avdt_scb_event(pscb, AVDT_SCB_MSG_ABORT_RSP_EVT, &data);
92 avdt_scb_event(pscb, AVDT_SCB_TC_CLOSE_EVT, &data);
93 ASSERT_EQ(AVDT_RemoveStream(scb_handle_), AVDT_SUCCESS);
94 // fallback to default settings (delay report + sink)
95 pscb->stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
96 pscb->stream_config.tsep = AVDT_TSEP_SNK;
97 }
98 };
99
100 AvdtpRcb StackAvdtpTest::reg_ctrl_block_{};
101 uint8_t StackAvdtpTest::callback_event_ = AVDT_MAX_EVT + 1;
102 uint8_t StackAvdtpTest::scb_handle_ = 0;
103
TEST_F(StackAvdtpTest,test_delay_report_as_accept)104 TEST_F(StackAvdtpTest, test_delay_report_as_accept) {
105 // Get SCB ready to send response
106 auto pscb = avdt_scb_by_hdl(scb_handle_);
107 pscb->in_use = true;
108
109 // Send SetConfig response
110 uint8_t label = 0;
111 uint8_t err_code = 0;
112 uint8_t category = 0;
113
114 mock_avdt_msg_send_cmd_clear_history();
115 mock_avdt_msg_send_rsp_clear_history();
116 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
117
118 // Config response sent
119 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"), 1);
120 ASSERT_EQ(mock_avdt_msg_send_rsp_get_sig_id_at(0), AVDT_SIG_SETCONFIG);
121
122 // Delay report command sent
123 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 1);
124 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
125
126 // Delay report confirmed
127 tAVDT_SCB_EVT data;
128 ASSERT_EQ(get_func_call_count("StreamCtrlCallback"), 0);
129 avdt_scb_hdl_delay_rpt_rsp(pscb, &data);
130 ASSERT_EQ(callback_event_, AVDT_DELAY_REPORT_CFM_EVT);
131 }
132
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_sink)133 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_sink) {
134 // Get SCB ready to send response
135 auto pscb = avdt_scb_by_hdl(scb_handle_);
136 pscb->in_use = true;
137
138 // Change the scb to SRC
139 pscb->stream_config.tsep = AVDT_TSEP_SRC;
140
141 // Send SetConfig response
142 uint8_t label = 0;
143 uint8_t err_code = 0;
144 uint8_t category = 0;
145 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
146 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
147 1); // Config response sent
148 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
149 0); // Delay report command not sent
150 }
151
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_enabled)152 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_enabled) {
153 // Get SCB ready to send response
154 auto pscb = avdt_scb_by_hdl(scb_handle_);
155 pscb->in_use = true;
156
157 // Disable the scb's delay report mask
158 pscb->stream_config.cfg.psc_mask &= ~AVDT_PSC_DELAY_RPT;
159
160 // Send SetConfig response
161 uint8_t label = 0;
162 uint8_t err_code = 0;
163 uint8_t category = 0;
164 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
165 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
166 1); // Config response sent
167 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
168 0); // Delay report command not sent
169 }
170
TEST_F(StackAvdtpTest,test_delay_report_as_init)171 TEST_F(StackAvdtpTest, test_delay_report_as_init) {
172 auto pscb = avdt_scb_by_hdl(scb_handle_);
173 pscb->in_use = true;
174
175 tAVDT_SCB_EVT data;
176
177 // Delay report -> Open command
178 mock_avdt_msg_send_cmd_clear_history();
179 avdt_scb_event(pscb, AVDT_SCB_MSG_SETCONFIG_RSP_EVT, &data);
180 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 2);
181 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
182 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(1), AVDT_SIG_OPEN);
183 }
184
TEST_F(StackAvdtpTest,test_SR_reporting_handler)185 TEST_F(StackAvdtpTest, test_SR_reporting_handler) {
186 constexpr uint8_t sender_report_packet[] = {
187 // Header
188 0x80, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
189 // Sender Info
190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
191 0x00, 0x00, 0x00, 0x00, 0x00,
192 // Report Block #1
193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
195 uint16_t packet_length = sizeof(sender_report_packet);
196 tAVDT_SCB_EVT data;
197 auto pscb = avdt_scb_by_hdl(scb_handle_);
198
199 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
200 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
201 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
202 avdt_scb_hdl_pkt(pscb, &data);
203 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
204
205 // no payload
206 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
207 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
208 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
209 avdt_scb_hdl_pkt(pscb, &data);
210 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
211
212 // only reporting header
213 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
214 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
215 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
216 avdt_scb_hdl_pkt(pscb, &data);
217 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
218
219 // reporting header + sender info
220 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
221 *data.p_pkt = {.len = 28, .layer_specific = AVDT_CHAN_REPORT};
222 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
223 avdt_scb_hdl_pkt(pscb, &data);
224 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
225 }
226
TEST_F(StackAvdtpTest,test_RR_reporting_handler)227 TEST_F(StackAvdtpTest, test_RR_reporting_handler) {
228 constexpr uint8_t receiver_report_packet[] = {// Header
229 0x80, 0xc9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
230 // Report Block #1
231 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
232 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
234 uint16_t packet_length = sizeof(receiver_report_packet);
235 tAVDT_SCB_EVT data;
236 auto pscb = avdt_scb_by_hdl(scb_handle_);
237
238 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
239 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
240 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
241 avdt_scb_hdl_pkt(pscb, &data);
242 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
243
244 // no payload
245 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
246 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
247 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
248 avdt_scb_hdl_pkt(pscb, &data);
249 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
250
251 // only reporting header
252 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
253 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
254 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
255 avdt_scb_hdl_pkt(pscb, &data);
256 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
257
258 // reporting header + report block
259 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
260 *data.p_pkt = {.len = 32, .layer_specific = AVDT_CHAN_REPORT};
261 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
262 avdt_scb_hdl_pkt(pscb, &data);
263 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
264 }
265
TEST_F(StackAvdtpTest,test_SDES_reporting_handler)266 TEST_F(StackAvdtpTest, test_SDES_reporting_handler) {
267 constexpr uint8_t source_description_packet[] = {// Header
268 0x80, 0xca, 0x00, 0x00,
269 // Chunk #1
270 0x00, 0x00, 0x00, 0x00,
271 // SDES Item (CNAME=1)
272 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
273 uint16_t packet_length = sizeof(source_description_packet);
274 tAVDT_SCB_EVT data;
275 auto pscb = avdt_scb_by_hdl(scb_handle_);
276
277 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
278 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
279 memcpy(data.p_pkt->data, source_description_packet, packet_length);
280 avdt_scb_hdl_pkt(pscb, &data);
281 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
282
283 // no payload
284 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
285 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
286 memcpy(data.p_pkt->data, source_description_packet, packet_length);
287 avdt_scb_hdl_pkt(pscb, &data);
288 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
289
290 // only reporting header
291 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
292 *data.p_pkt = {.len = 4, .layer_specific = AVDT_CHAN_REPORT};
293 memcpy(data.p_pkt->data, source_description_packet, packet_length);
294 avdt_scb_hdl_pkt(pscb, &data);
295 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
296
297 // SDES Item (CNAME) with empty value
298 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
299 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
300 memcpy(data.p_pkt->data, source_description_packet, packet_length);
301 avdt_scb_hdl_pkt(pscb, &data);
302 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
303
304 // SDES Item (not CNAME) which is not supported
305 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
306 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
307 memcpy(data.p_pkt->data, source_description_packet, packet_length);
308 *(data.p_pkt->data + 8) = 0x02;
309 *(data.p_pkt->data + 9) = 0x00;
310 avdt_scb_hdl_pkt(pscb, &data);
311 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
312 }
313
314 // regression tests for b/258057241 (CVE-2022-40503)
315 // The regression tests are divided into 2 tests:
316 // avdt_scb_hdl_pkt_no_frag_regression_test1 verifies that
317 // OOB access resulted from integer overflow
318 // from the ex_len field in the packet is properly handled
319
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test0)320 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test0) {
321 const uint16_t extra_size = 0;
322 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
323 ASSERT_NE(p_pkt, nullptr);
324 tAVDT_SCB_EVT evt_data = {
325 .p_pkt = p_pkt,
326 };
327 p_pkt->len = 0;
328
329 // get the stream control block
330 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
331 ASSERT_NE(pscb, nullptr);
332
333 // any memory issue would be caught be the address sanitizer
334 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
335
336 // here we would also assume that p_pkt would have been freed
337 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
338 // thus vt_data.p_pkt will be set to nullptr
339 ASSERT_EQ(evt_data.p_pkt, nullptr);
340 }
341
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test1)342 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test1) {
343 const uint16_t extra_size = 100;
344 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
345 ASSERT_NE(p_pkt, nullptr);
346 tAVDT_SCB_EVT evt_data = {
347 .p_pkt = p_pkt,
348 };
349
350 // setup p_pkt
351 // no overflow here
352 p_pkt->len = extra_size;
353 p_pkt->offset = 0;
354
355 uint8_t* p = (uint8_t*)(p_pkt + 1);
356 // fill the p_pkt with 0xff to
357 // make ex_len * 4 overflow
358 memset(p, 0xff, extra_size);
359
360 // get the stream control block
361 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
362 ASSERT_NE(pscb, nullptr);
363
364 // any memory issue would be caught be the address sanitizer
365 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
366
367 // here we would also assume that p_pkt would have been freed
368 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
369 // thus vt_data.p_pkt will be set to nullptr
370 ASSERT_EQ(evt_data.p_pkt, nullptr);
371 }
372
373 // avdt_scb_hdl_pkt_no_frag_regression_test2 verifies that
374 // OOB access resulted from integer overflow
375 // from the pad_len field in the packet is properly handled
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test2)376 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test2) {
377 const uint16_t extra_size = 100;
378 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
379 ASSERT_NE(p_pkt, nullptr);
380 tAVDT_SCB_EVT evt_data = {
381 .p_pkt = p_pkt,
382 };
383
384 // setup p_pkt
385 // no overflow here
386 p_pkt->len = extra_size;
387 p_pkt->offset = 0;
388
389 uint8_t* p = (uint8_t*)(p_pkt + 1);
390 // zero out all bytes first
391 memset(p, 0, extra_size);
392 // setup o_v, o_p, o_x, o_cc
393 *p = 0xff;
394 // set the pad_len to be 0xff
395 p[extra_size - 1] = 0xff;
396
397 // get the stream control block
398 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
399 ASSERT_NE(pscb, nullptr);
400
401 // any memory issue would be caught be the address sanitizer
402 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
403
404 // here we would also assume that p_pkt would have been freed
405 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
406 // thus vt_data.p_pkt will be set to nullptr
407 ASSERT_EQ(evt_data.p_pkt, nullptr);
408 }
409
410 // avdt_scb_hdl_pkt_no_frag_regression_test3 verifies that
411 // zero length packets are filtered out
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test3)412 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test3) {
413 // 12 btyes of minimal + 15 * oc (4 bytes each) + 4 btye to ex_len
414 const uint16_t extra_size = 12 + 15 * 4 + 4;
415 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
416 ASSERT_NE(p_pkt, nullptr);
417 tAVDT_SCB_EVT evt_data = {
418 .p_pkt = p_pkt,
419 };
420
421 // setup p_pkt
422 // no overflow here
423 p_pkt->len = extra_size;
424 p_pkt->offset = 0;
425
426 uint8_t* p = (uint8_t*)(p_pkt + 1);
427 // fill the p_pkt with 0 to
428 // make ex_len * 4 overflow
429 memset(p, 0, extra_size);
430 // setup
431 // o_v = 0b10
432 // o_p = 0b01 // with padding
433 // o_x = 0b10
434 // o_cc = 0b1111
435 *p = 0xff;
436
437 // get the stream control block
438 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
439 ASSERT_NE(pscb, nullptr);
440
441 // any memory issue would be caught be the address sanitizer
442 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
443
444 // here we would also assume that p_pkt would have been freed
445 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
446 // thus vt_data.p_pkt will be set to nullptr
447 ASSERT_EQ(evt_data.p_pkt, nullptr);
448 }
449