DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu

[android-x86/system-bt.git] / stack / l2cap / l2c_fcr.c

diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c
index 00f0525..4c0fb41 100644 (file)
--- a/stack/l2cap/l2c_fcr.c
+++ b/stack/l2cap/l2c_fcr.c
@@ -840,7 +840,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
 
     if (p_ccb->is_first_seg)
     {
+        if (p_buf->len < sizeof(sdu_length)) {
+          L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
+                            __func__, p_buf->len);
+          android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
+          /* Discard the buffer */
+          osi_free(p_buf);
+          return;
+        }
         STREAM_TO_UINT16(sdu_length, p);
+
         /* Check the SDU Length with local MTU size */
         if (sdu_length > p_ccb->local_conn_cfg.mtu)
         {
@@ -849,6 +858,17 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
             return;
         }
 
+        p_buf->len -= sizeof(sdu_length);
+        p_buf->offset += sizeof(sdu_length);
+
+        if (sdu_length < p_buf->len) {
+            L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+            android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+            /* Discard the buffer */
+            osi_free(p_buf);
+            return;
+        }
+
 
         if ((p_data = (BT_HDR *) osi_malloc(L2CAP_MAX_BUF_SIZE)) == NULL)
         {
@@ -860,8 +880,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf)
         p_data->len = 0;
         p_ccb->ble_sdu_length = sdu_length;
         L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length);
-        p_buf->len -= sizeof(sdu_length);
-        p_buf->offset += sizeof(sdu_length);
         p_data->offset = 0;
     } else {
       p_data = p_ccb->ble_sdu;