switch (cmd_code)
{
case L2CAP_CMD_REJECT:
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (rej_reason, p);
if (rej_reason == L2CAP_CMD_REJ_MTU_EXCEEDED)
{
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (rej_mtu, p);
/* What to do with the MTU reject ? We have negotiated an MTU. For now */
/* we will ignore it and let a higher protocol timeout take care of it */
}
if (rej_reason == L2CAP_CMD_REJ_INVALID_CID)
{
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (rcid, p);
STREAM_TO_UINT16 (lcid, p);
break;
case L2CAP_CMD_CONN_REQ:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (con_info.psm, p);
STREAM_TO_UINT16 (rcid, p);
if ((p_rcb = l2cu_find_rcb_by_psm (con_info.psm)) == NULL)
break;
case L2CAP_CMD_CONN_RSP:
+ if (p + 8 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (con_info.remote_cid, p);
STREAM_TO_UINT16 (lcid, p);
STREAM_TO_UINT16 (con_info.l2cap_result, p);
cfg_rej = FALSE;
cfg_rej_len = 0;
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (lcid, p);
STREAM_TO_UINT16 (cfg_info.flags, p);
while (p < p_cfg_end)
{
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_code, p);
STREAM_TO_UINT8 (cfg_len, p);
{
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = TRUE;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = TRUE;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = TRUE;
+ if (p + 2 + 5 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8 (cfg_info.qos.service_type, p);
STREAM_TO_UINT32 (cfg_info.qos.token_rate, p);
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = TRUE;
+ if (p + 3 + 3 * 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.fcr.mode, p);
STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8 (cfg_info.fcr.max_transmit, p);
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = TRUE;
+ if (p + 1 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = TRUE;
+ if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8 (cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16 (cfg_info.ext_flow_spec.max_sdu_size, p);
case L2CAP_CMD_CONFIG_RSP:
p_cfg_end = p + cmd_len;
+ if (p + 6 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (lcid, p);
STREAM_TO_UINT16 (cfg_info.flags, p);
STREAM_TO_UINT16 (cfg_info.result, p);
while (p < p_cfg_end)
{
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_code, p);
STREAM_TO_UINT8 (cfg_len, p);
{
case L2CAP_CFG_TYPE_MTU:
cfg_info.mtu_present = TRUE;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (cfg_info.mtu, p);
break;
case L2CAP_CFG_TYPE_FLUSH_TOUT:
cfg_info.flush_to_present = TRUE;
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (cfg_info.flush_to, p);
break;
case L2CAP_CFG_TYPE_QOS:
cfg_info.qos_present = TRUE;
+ if (p + 2 + 5 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.qos.qos_flags, p);
STREAM_TO_UINT8 (cfg_info.qos.service_type, p);
STREAM_TO_UINT32 (cfg_info.qos.token_rate, p);
case L2CAP_CFG_TYPE_FCR:
cfg_info.fcr_present = TRUE;
+ if (p + 3 + 3 * 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.fcr.mode, p);
STREAM_TO_UINT8 (cfg_info.fcr.tx_win_sz, p);
STREAM_TO_UINT8 (cfg_info.fcr.max_transmit, p);
case L2CAP_CFG_TYPE_FCS:
cfg_info.fcs_present = TRUE;
+ if (p + 1 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.fcs, p);
break;
case L2CAP_CFG_TYPE_EXT_FLOW:
cfg_info.ext_flow_spec_present = TRUE;
+ if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT8 (cfg_info.ext_flow_spec.id, p);
STREAM_TO_UINT8 (cfg_info.ext_flow_spec.stype, p);
STREAM_TO_UINT16 (cfg_info.ext_flow_spec.max_sdu_size, p);
break;
case L2CAP_CMD_DISC_REQ:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (lcid, p);
STREAM_TO_UINT16 (rcid, p);
break;
case L2CAP_CMD_DISC_RSP:
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (rcid, p);
STREAM_TO_UINT16 (lcid, p);
break;
case L2CAP_CMD_INFO_REQ:
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (info_type, p);
l2cu_send_peer_info_rsp (p_lcb, id, info_type);
break;
p_lcb->w4_info_rsp = FALSE;
}
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (info_type, p);
STREAM_TO_UINT16 (result, p);
if ( (info_type == L2CAP_EXTENDED_FEATURES_INFO_TYPE)
&& (result == L2CAP_INFO_RESP_RESULT_SUCCESS) )
{
+ if (p + 4 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT32( p_lcb->peer_ext_fea, p );
#if (L2CAP_NUM_FIXED_CHNLS > 0)
{
if (result == L2CAP_INFO_RESP_RESULT_SUCCESS)
{
+ if (p + 2 > p_next_cmd) {
+ android_errorWriteLog(0x534e4554, "74202041");
+ return;
+ }
STREAM_TO_UINT16 (p_lcb->ucd_mtu, p);
}
}