system/bt
| Revision | 922d50b99e45d02b405940fe9a33887141da5c7e (tree) |
|---|---|
| Zeit | 2017-09-15 02:54:03 |
| Autor | Pavlin Radoslavov <pavlin@goog...> |
| Commiter | Dan Pasanen |
Add a missing check for PAN buffer size before copying data
Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit 23642dc32ce8704067882cfb37745b62c2b3562a)
bta/pan/bta_pan_act.c (diff)| @@ -26,6 +26,8 @@ | ||
| 26 | 26 | |
| 27 | 27 | #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) |
| 28 | 28 | |
| 29 | +#include <cutils/log.h> | |
| 30 | + | |
| 29 | 31 | #include "bta_api.h" |
| 30 | 32 | #include "bta_sys.h" |
| 31 | 33 | #include "bt_common.h" |
| @@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
| 176 | 178 | |
| 177 | 179 | if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { |
| 178 | 180 | /* offset smaller than data structure in front of actual data */ |
| 181 | + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > | |
| 182 | + PAN_BUF_SIZE) { | |
| 183 | + android_errorWriteLog(0x534e4554, "63146237"); | |
| 184 | + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, | |
| 185 | + p_buf->len); | |
| 186 | + osi_free(p_buf); | |
| 187 | + return; | |
| 188 | + } | |
| 179 | 189 | p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); |
| 180 | 190 | memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), |
| 181 | 191 | (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); |
Fork