1 /*
2 * Copyright 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // #include <dlfcn.h>
18 #include <gtest/gtest.h>
19 #include <sys/types.h>
20
21 #include <cstdint>
22 #include <cstring>
23
24 #include "osi/include/allocator.h"
25 #include "stack/avdt/avdt_int.h"
26 #include "stack/include/avdt_api.h"
27 #include "stack/include/main_thread.h"
28 #include "stack/test/common/mock_stack_avdt_msg.h"
29 #include "test/common/mock_functions.h"
30 #include "types/raw_address.h"
31
get_main_thread()32 bluetooth::common::MessageLoopThread* get_main_thread() { return nullptr; }
33
34 class StackAvdtpTest : public ::testing::Test {
35 protected:
36 StackAvdtpTest() = default;
37
38 virtual ~StackAvdtpTest() = default;
39
40 protected:
41 static AvdtpRcb reg_ctrl_block_;
42 static uint8_t callback_event_;
43 static uint8_t scb_handle_;
44
45 protected:
AvdtConnCallback(uint8_t,const RawAddress &,uint8_t event,tAVDT_CTRL *,uint8_t)46 static void AvdtConnCallback(uint8_t /*handle*/, const RawAddress& /*bd_addr*/, uint8_t event,
47 tAVDT_CTRL* /*p_data*/, uint8_t /*scb_index*/) {
48 inc_func_call_count(__func__);
49 callback_event_ = event;
50 }
51
StreamCtrlCallback(uint8_t,const RawAddress &,uint8_t event,tAVDT_CTRL *,uint8_t)52 static void StreamCtrlCallback(uint8_t /*handle*/, const RawAddress& /*bd_addr*/, uint8_t event,
53 tAVDT_CTRL* /*p_data*/, uint8_t /*scb_index*/) {
54 inc_func_call_count(__func__);
55 callback_event_ = event;
56 }
57
AvdtReportCallback(uint8_t,AVDT_REPORT_TYPE,tAVDT_REPORT_DATA *)58 static void AvdtReportCallback(uint8_t /*handle*/, AVDT_REPORT_TYPE /*type*/,
59 tAVDT_REPORT_DATA* /*p_data*/) {
60 inc_func_call_count(__func__);
61 }
62
SetUpTestCase()63 static void SetUpTestCase() {
64 reg_ctrl_block_.ctrl_mtu = 672;
65 reg_ctrl_block_.ret_tout = 4;
66 reg_ctrl_block_.sig_tout = 4;
67 reg_ctrl_block_.idle_tout = 10;
68 reg_ctrl_block_.scb_index = 0;
69 AVDT_Register(®_ctrl_block_, AvdtConnCallback);
70
71 uint8_t peer_id = 1;
72 scb_handle_ = 0;
73 AvdtpStreamConfig avdtp_stream_config{};
74 avdtp_stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
75 avdtp_stream_config.p_avdt_ctrl_cback = StreamCtrlCallback;
76 avdtp_stream_config.p_report_cback = AvdtReportCallback;
77 avdtp_stream_config.tsep = AVDT_TSEP_SNK;
78 // We have to reuse the stream since there is only AVDT_NUM_SEPS *
79 // AVDT_NUM_LINKS
80 ASSERT_EQ(AVDT_CreateStream(peer_id, &scb_handle_, avdtp_stream_config), AVDT_SUCCESS);
81 }
82
TearDownTestCase()83 static void TearDownTestCase() { AVDT_Deregister(); }
84
SetUp()85 void SetUp() override {
86 callback_event_ = AVDT_MAX_EVT + 1;
87 reset_mock_function_count_map();
88 }
89
TearDown()90 void TearDown() override {
91 auto pscb = avdt_scb_by_hdl(scb_handle_);
92 tAVDT_SCB_EVT data;
93 // clean up the SCB state
94 avdt_scb_event(pscb, AVDT_SCB_MSG_ABORT_RSP_EVT, &data);
95 avdt_scb_event(pscb, AVDT_SCB_TC_CLOSE_EVT, &data);
96 ASSERT_EQ(AVDT_RemoveStream(scb_handle_), AVDT_SUCCESS);
97 // fallback to default settings (delay report + sink)
98 pscb->stream_config.cfg.psc_mask = AVDT_PSC_DELAY_RPT;
99 pscb->stream_config.tsep = AVDT_TSEP_SNK;
100 }
101 };
102
103 AvdtpRcb StackAvdtpTest::reg_ctrl_block_{};
104 uint8_t StackAvdtpTest::callback_event_ = AVDT_MAX_EVT + 1;
105 uint8_t StackAvdtpTest::scb_handle_ = 0;
106
TEST_F(StackAvdtpTest,test_delay_report_as_accept)107 TEST_F(StackAvdtpTest, test_delay_report_as_accept) {
108 // Get SCB ready to send response
109 auto pscb = avdt_scb_by_hdl(scb_handle_);
110 pscb->in_use = true;
111
112 // Send SetConfig response
113 uint8_t label = 0;
114 uint8_t err_code = 0;
115 uint8_t category = 0;
116
117 mock_avdt_msg_send_cmd_clear_history();
118 mock_avdt_msg_send_rsp_clear_history();
119 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
120
121 // Config response sent
122 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"), 1);
123 ASSERT_EQ(mock_avdt_msg_send_rsp_get_sig_id_at(0), AVDT_SIG_SETCONFIG);
124
125 // Delay report command sent
126 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 1);
127 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
128
129 // Delay report confirmed
130 tAVDT_SCB_EVT data;
131 ASSERT_EQ(get_func_call_count("StreamCtrlCallback"), 0);
132 avdt_scb_hdl_delay_rpt_rsp(pscb, &data);
133 ASSERT_EQ(callback_event_, AVDT_DELAY_REPORT_CFM_EVT);
134 }
135
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_sink)136 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_sink) {
137 // Get SCB ready to send response
138 auto pscb = avdt_scb_by_hdl(scb_handle_);
139 pscb->in_use = true;
140
141 // Change the scb to SRC
142 pscb->stream_config.tsep = AVDT_TSEP_SRC;
143
144 // Send SetConfig response
145 uint8_t label = 0;
146 uint8_t err_code = 0;
147 uint8_t category = 0;
148 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
149 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
150 1); // Config response sent
151 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
152 0); // Delay report command not sent
153 }
154
TEST_F(StackAvdtpTest,test_no_delay_report_if_not_enabled)155 TEST_F(StackAvdtpTest, test_no_delay_report_if_not_enabled) {
156 // Get SCB ready to send response
157 auto pscb = avdt_scb_by_hdl(scb_handle_);
158 pscb->in_use = true;
159
160 // Disable the scb's delay report mask
161 pscb->stream_config.cfg.psc_mask &= ~AVDT_PSC_DELAY_RPT;
162
163 // Send SetConfig response
164 uint8_t label = 0;
165 uint8_t err_code = 0;
166 uint8_t category = 0;
167 ASSERT_EQ(AVDT_ConfigRsp(scb_handle_, label, err_code, category), AVDT_SUCCESS);
168 ASSERT_EQ(get_func_call_count("avdt_msg_send_rsp"),
169 1); // Config response sent
170 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"),
171 0); // Delay report command not sent
172 }
173
TEST_F(StackAvdtpTest,test_delay_report_as_init)174 TEST_F(StackAvdtpTest, test_delay_report_as_init) {
175 auto pscb = avdt_scb_by_hdl(scb_handle_);
176 pscb->in_use = true;
177
178 tAVDT_SCB_EVT data;
179
180 // Delay report -> Open command
181 mock_avdt_msg_send_cmd_clear_history();
182 avdt_scb_event(pscb, AVDT_SCB_MSG_SETCONFIG_RSP_EVT, &data);
183 ASSERT_EQ(get_func_call_count("avdt_msg_send_cmd"), 2);
184 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(0), AVDT_SIG_DELAY_RPT);
185 ASSERT_EQ(mock_avdt_msg_send_cmd_get_sig_id_at(1), AVDT_SIG_OPEN);
186 }
187
TEST_F(StackAvdtpTest,test_SR_reporting_handler)188 TEST_F(StackAvdtpTest, test_SR_reporting_handler) {
189 constexpr uint8_t sender_report_packet[] = {
190 // Header
191 0x80, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
192 // Sender Info
193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
194 0x00, 0x00, 0x00, 0x00, 0x00,
195 // Report Block #1
196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
198 uint16_t packet_length = sizeof(sender_report_packet);
199 tAVDT_SCB_EVT data;
200 auto pscb = avdt_scb_by_hdl(scb_handle_);
201
202 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
203 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
204 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
205 avdt_scb_hdl_pkt(pscb, &data);
206 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
207
208 // no payload
209 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
210 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
211 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
212 avdt_scb_hdl_pkt(pscb, &data);
213 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
214
215 // only reporting header
216 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
217 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
218 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
219 avdt_scb_hdl_pkt(pscb, &data);
220 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
221
222 // reporting header + sender info
223 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
224 *data.p_pkt = {.len = 28, .layer_specific = AVDT_CHAN_REPORT};
225 memcpy(data.p_pkt->data, sender_report_packet, packet_length);
226 avdt_scb_hdl_pkt(pscb, &data);
227 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
228 }
229
TEST_F(StackAvdtpTest,test_RR_reporting_handler)230 TEST_F(StackAvdtpTest, test_RR_reporting_handler) {
231 constexpr uint8_t receiver_report_packet[] = {// Header
232 0x80, 0xc9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
233 // Report Block #1
234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
237 uint16_t packet_length = sizeof(receiver_report_packet);
238 tAVDT_SCB_EVT data;
239 auto pscb = avdt_scb_by_hdl(scb_handle_);
240
241 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
242 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
243 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
244 avdt_scb_hdl_pkt(pscb, &data);
245 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
246
247 // no payload
248 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
249 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
250 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
251 avdt_scb_hdl_pkt(pscb, &data);
252 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
253
254 // only reporting header
255 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
256 *data.p_pkt = {.len = 8, .layer_specific = AVDT_CHAN_REPORT};
257 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
258 avdt_scb_hdl_pkt(pscb, &data);
259 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
260
261 // reporting header + report block
262 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
263 *data.p_pkt = {.len = 32, .layer_specific = AVDT_CHAN_REPORT};
264 memcpy(data.p_pkt->data, receiver_report_packet, packet_length);
265 avdt_scb_hdl_pkt(pscb, &data);
266 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 2);
267 }
268
TEST_F(StackAvdtpTest,test_SDES_reporting_handler)269 TEST_F(StackAvdtpTest, test_SDES_reporting_handler) {
270 constexpr uint8_t source_description_packet[] = {// Header
271 0x80, 0xca, 0x00, 0x00,
272 // Chunk #1
273 0x00, 0x00, 0x00, 0x00,
274 // SDES Item (CNAME=1)
275 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
276 uint16_t packet_length = sizeof(source_description_packet);
277 tAVDT_SCB_EVT data;
278 auto pscb = avdt_scb_by_hdl(scb_handle_);
279
280 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
281 *data.p_pkt = {.len = packet_length, .layer_specific = AVDT_CHAN_REPORT};
282 memcpy(data.p_pkt->data, source_description_packet, packet_length);
283 avdt_scb_hdl_pkt(pscb, &data);
284 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
285
286 // no payload
287 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
288 *data.p_pkt = {.layer_specific = AVDT_CHAN_REPORT};
289 memcpy(data.p_pkt->data, source_description_packet, packet_length);
290 avdt_scb_hdl_pkt(pscb, &data);
291 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
292
293 // only reporting header
294 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
295 *data.p_pkt = {.len = 4, .layer_specific = AVDT_CHAN_REPORT};
296 memcpy(data.p_pkt->data, source_description_packet, packet_length);
297 avdt_scb_hdl_pkt(pscb, &data);
298 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
299
300 // SDES Item (CNAME) with empty value
301 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
302 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
303 memcpy(data.p_pkt->data, source_description_packet, packet_length);
304 avdt_scb_hdl_pkt(pscb, &data);
305 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
306
307 // SDES Item (not CNAME) which is not supported
308 data.p_pkt = (BT_HDR*)osi_calloc(sizeof(BT_HDR) + packet_length);
309 *data.p_pkt = {.len = 10, .layer_specific = AVDT_CHAN_REPORT};
310 memcpy(data.p_pkt->data, source_description_packet, packet_length);
311 *(data.p_pkt->data + 8) = 0x02;
312 *(data.p_pkt->data + 9) = 0x00;
313 avdt_scb_hdl_pkt(pscb, &data);
314 ASSERT_EQ(get_func_call_count("AvdtReportCallback"), 1);
315 }
316
317 // regression tests for b/258057241 (CVE-2022-40503)
318 // The regression tests are divided into 2 tests:
319 // avdt_scb_hdl_pkt_no_frag_regression_test1 verifies that
320 // OOB access resulted from integer overflow
321 // from the ex_len field in the packet is properly handled
322
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test0)323 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test0) {
324 const uint16_t extra_size = 0;
325 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
326 ASSERT_NE(p_pkt, nullptr);
327 tAVDT_SCB_EVT evt_data = {
328 .p_pkt = p_pkt,
329 };
330 p_pkt->len = 0;
331
332 // get the stream control block
333 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
334 ASSERT_NE(pscb, nullptr);
335
336 // any memory issue would be caught be the address sanitizer
337 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
338
339 // here we would also assume that p_pkt would have been freed
340 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
341 // thus vt_data.p_pkt will be set to nullptr
342 ASSERT_EQ(evt_data.p_pkt, nullptr);
343 }
344
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test1)345 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test1) {
346 const uint16_t extra_size = 100;
347 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
348 ASSERT_NE(p_pkt, nullptr);
349 tAVDT_SCB_EVT evt_data = {
350 .p_pkt = p_pkt,
351 };
352
353 // setup p_pkt
354 // no overflow here
355 p_pkt->len = extra_size;
356 p_pkt->offset = 0;
357
358 uint8_t* p = (uint8_t*)(p_pkt + 1);
359 // fill the p_pkt with 0xff to
360 // make ex_len * 4 overflow
361 memset(p, 0xff, extra_size);
362
363 // get the stream control block
364 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
365 ASSERT_NE(pscb, nullptr);
366
367 // any memory issue would be caught be the address sanitizer
368 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
369
370 // here we would also assume that p_pkt would have been freed
371 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
372 // thus vt_data.p_pkt will be set to nullptr
373 ASSERT_EQ(evt_data.p_pkt, nullptr);
374 }
375
376 // avdt_scb_hdl_pkt_no_frag_regression_test2 verifies that
377 // OOB access resulted from integer overflow
378 // from the pad_len field in the packet is properly handled
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test2)379 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test2) {
380 const uint16_t extra_size = 100;
381 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
382 ASSERT_NE(p_pkt, nullptr);
383 tAVDT_SCB_EVT evt_data = {
384 .p_pkt = p_pkt,
385 };
386
387 // setup p_pkt
388 // no overflow here
389 p_pkt->len = extra_size;
390 p_pkt->offset = 0;
391
392 uint8_t* p = (uint8_t*)(p_pkt + 1);
393 // zero out all bytes first
394 memset(p, 0, extra_size);
395 // setup o_v, o_p, o_x, o_cc
396 *p = 0xff;
397 // set the pad_len to be 0xff
398 p[extra_size - 1] = 0xff;
399
400 // get the stream control block
401 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
402 ASSERT_NE(pscb, nullptr);
403
404 // any memory issue would be caught be the address sanitizer
405 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
406
407 // here we would also assume that p_pkt would have been freed
408 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
409 // thus vt_data.p_pkt will be set to nullptr
410 ASSERT_EQ(evt_data.p_pkt, nullptr);
411 }
412
413 // avdt_scb_hdl_pkt_no_frag_regression_test3 verifies that
414 // zero length packets are filtered out
TEST_F(StackAvdtpTest,avdt_scb_hdl_pkt_no_frag_regression_test3)415 TEST_F(StackAvdtpTest, avdt_scb_hdl_pkt_no_frag_regression_test3) {
416 // 12 btyes of minimal + 15 * oc (4 bytes each) + 4 btye to ex_len
417 const uint16_t extra_size = 12 + 15 * 4 + 4;
418 BT_HDR* p_pkt = (BT_HDR*)osi_malloc(sizeof(BT_HDR) + extra_size);
419 ASSERT_NE(p_pkt, nullptr);
420 tAVDT_SCB_EVT evt_data = {
421 .p_pkt = p_pkt,
422 };
423
424 // setup p_pkt
425 // no overflow here
426 p_pkt->len = extra_size;
427 p_pkt->offset = 0;
428
429 uint8_t* p = (uint8_t*)(p_pkt + 1);
430 // fill the p_pkt with 0 to
431 // make ex_len * 4 overflow
432 memset(p, 0, extra_size);
433 // setup
434 // o_v = 0b10
435 // o_p = 0b01 // with padding
436 // o_x = 0b10
437 // o_cc = 0b1111
438 *p = 0xff;
439
440 // get the stream control block
441 AvdtpScb* pscb = avdt_scb_by_hdl(scb_handle_);
442 ASSERT_NE(pscb, nullptr);
443
444 // any memory issue would be caught be the address sanitizer
445 avdt_scb_hdl_pkt_no_frag(pscb, &evt_data);
446
447 // here we would also assume that p_pkt would have been freed
448 // by avdt_scb_hdl_pkt_no_frag by calling osi_free_and_reset
449 // thus vt_data.p_pkt will be set to nullptr
450 ASSERT_EQ(evt_data.p_pkt, nullptr);
451 }
452