DO NOT MERGE Fix OOB read in process_l2cap_cmd

author Hansong Zhang <hsz@google.com>

Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)

committer android-build-team Robot <android-build-team-robot@google.com>

Fri, 3 Aug 2018 19:18:03 +0000 (19:18 +0000)
author Hansong Zhang <hsz@google.com>
Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)
committer android-build-team Robot <android-build-team-robot@google.com>
Fri, 3 Aug 2018 19:18:03 +0000 (19:18 +0000)
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc

index 7c1ef48..1f3fb8f 100644 (file)
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -542,6 +542,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
              default:
                /* sanity check option length */
                if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {
+                if (p + cfg_len > p_next_cmd) {
+                  android_errorWriteLog(0x534e4554, "79488381");
+                  return;
+                }
                  p += cfg_len;
                  if ((cfg_code & 0x80) == 0) {
                    cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
author	Hansong Zhang <hsz@google.com>
	Thu, 12 Jul 2018 17:51:30 +0000 (10:51 -0700)
committer	android-build-team Robot <android-build-team-robot@google.com>
	Fri, 3 Aug 2018 19:18:03 +0000 (19:18 +0000)