system/bt
| Revision | f049e304c7fd2619ccdddc449e0c13ab7ed7f50e (tree) |
|---|---|
| Zeit | 2018-10-17 08:08:50 |
| Autor | Ugo Yu <ugoyu@goog...> |
| Commiter | Rohit Yengisetty |
DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 87bcda81b8209a71b32351b54cedaad48a7a56b4)
stack/l2cap/l2c_fcr.c (diff)| @@ -849,6 +849,14 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) | ||
| 849 | 849 | return; |
| 850 | 850 | } |
| 851 | 851 | |
| 852 | + if (sdu_length < p_buf->len) { | |
| 853 | + L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length); | |
| 854 | + android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0); | |
| 855 | + /* Discard the buffer */ | |
| 856 | + osi_free(p_buf); | |
| 857 | + return; | |
| 858 | + } | |
| 859 | + | |
| 852 | 860 | |
| 853 | 861 | if ((p_data = (BT_HDR *) osi_malloc(L2CAP_MAX_BUF_SIZE)) == NULL) |
| 854 | 862 | { |
Fork