Security fix for potential OOB read in L2CAP

author Chris Manton <cmanton@google.com>

Tue, 8 Feb 2022 01:39:06 +0000 (17:39 -0800)

committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com>

Mon, 14 Feb 2022 23:13:22 +0000 (23:13 +0000)
author Chris Manton <cmanton@google.com>
Tue, 8 Feb 2022 01:39:06 +0000 (17:39 -0800)
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
Mon, 14 Feb 2022 23:13:22 +0000 (23:13 +0000)
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc

index b826dc1..16454a5 100644 (file)
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -811,6 +811,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
  
      case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
        uint16_t result;
+      if (p + sizeof(uint16_t) > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "212694559");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
        STREAM_TO_UINT16(result, p);
  
        L2CAP_TRACE_DEBUG(
author	Chris Manton <cmanton@google.com>
	Tue, 8 Feb 2022 01:39:06 +0000 (17:39 -0800)
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>
	Mon, 14 Feb 2022 23:13:22 +0000 (23:13 +0000)