system/bt
Revision | 922d50b99e45d02b405940fe9a33887141da5c7e (tree) |
---|---|
Zeit | 2017-09-15 02:54:03 |
Autor | Pavlin Radoslavov <pavlin@goog...> |
Commiter | Dan Pasanen |
Add a missing check for PAN buffer size before copying data
Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit 23642dc32ce8704067882cfb37745b62c2b3562a)
@@ -26,6 +26,8 @@ | ||
26 | 26 | |
27 | 27 | #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) |
28 | 28 | |
29 | +#include <cutils/log.h> | |
30 | + | |
29 | 31 | #include "bta_api.h" |
30 | 32 | #include "bta_sys.h" |
31 | 33 | #include "bt_common.h" |
@@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, | ||
176 | 178 | |
177 | 179 | if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { |
178 | 180 | /* offset smaller than data structure in front of actual data */ |
181 | + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > | |
182 | + PAN_BUF_SIZE) { | |
183 | + android_errorWriteLog(0x534e4554, "63146237"); | |
184 | + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, | |
185 | + p_buf->len); | |
186 | + osi_free(p_buf); | |
187 | + return; | |
188 | + } | |
179 | 189 | p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); |
180 | 190 | memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), |
181 | 191 | (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); |