Add packet length checks in mca_ccb_hdl_req

author Cheney Ni <cheneyni@google.com>

Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)

committer Ryan Longair <rlongair@google.com>

Wed, 15 Aug 2018 20:28:38 +0000 (13:28 -0700)
author Cheney Ni <cheneyni@google.com>
Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)
committer Ryan Longair <rlongair@google.com>
Wed, 15 Aug 2018 20:28:38 +0000 (13:28 -0700)
diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc

index 48d0c0a..98a3688 100644 (file)
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -22,6 +22,7 @@
   *  Functions.
   *
   ******************************************************************************/
+#include <log/log.h>
  #include <string.h>
  #include "bt_common.h"
  #include "bt_target.h"
@@ -251,9 +252,15 @@ void mca_ccb_hdl_req(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
    p_rx_msg = (tMCA_CCB_MSG*)p_pkt;
    p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
    evt_data.hdr.op_code = *p++;
-  BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
    reject_opcode = evt_data.hdr.op_code + 1;
  
+  if (p_pkt->len >= 3) {
+    BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
+  } else {
+    android_errorWriteLog(0x534e4554, "110791536");
+    evt_data.hdr.mdl_id = 0;
+  }
+
    MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id);
    if (p_ccb->status == MCA_CCB_STAT_PENDING) {
      MCA_TRACE_DEBUG("received req inpending state");
author	Cheney Ni <cheneyni@google.com>
	Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)
committer	Ryan Longair <rlongair@google.com>
	Wed, 15 Aug 2018 20:28:38 +0000 (13:28 -0700)