UINT8 pkt_type;
tL2C_LCB *p_lcb;
tL2C_CCB *p_ccb = NULL;
- UINT16 l2cap_len, rcv_cid, psm;
+ UINT16 l2cap_len, rcv_cid;
UINT16 credit;
/* Extract the handle */
else if (rcv_cid == L2CAP_CONNECTIONLESS_CID)
{
/* process_connectionless_data (p_lcb); */
- STREAM_TO_UINT16 (psm, p);
- L2CAP_TRACE_DEBUG( "GOT CONNECTIONLESS DATA PSM:%d", psm ) ;
#if (L2CAP_UCD_INCLUDED == TRUE)
/* if it is not broadcast, check UCD registration */
{
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = TRUE;
- if (p + 2 > p_next_cmd) {
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = TRUE;
- if (p + 2 > p_next_cmd) {
+ if (cfg_len != 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = TRUE;
- if (p + 2 + 5 * 4 > p_next_cmd) {
+ if (cfg_len != 2 + 5 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = TRUE;
- if (p + 3 + 3 * 2 > p_next_cmd) {
+ if (cfg_len != 3 + 3 * 2) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = TRUE;
- if (p + 1 > p_next_cmd) {
+ if (cfg_len != 1) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = TRUE;
- if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+ if (cfg_len != 1 + 2 + 3 * 4) {
+ android_errorWriteLog(0x534e4554, "119870451");
+ return;
+ }
+ if (p + cfg_len > p_next_cmd) {
android_errorWriteLog(0x534e4554, "74202041");
return;
}
/* sanity check option length */
if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len)
{
+ if (p + cfg_len > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "79488381");
+ return;
+ }
p += cfg_len;
if ((cfg_code & 0x80) == 0)
{