HID Host: Check L2CAP packet data length

author Hansong Zhang <hsz@google.com>

Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)

committer android-build-team Robot <android-build-team-robot@google.com>

Fri, 3 Aug 2018 19:18:14 +0000 (19:18 +0000)
author Hansong Zhang <hsz@google.com>
Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)
committer android-build-team Robot <android-build-team-robot@google.com>
Fri, 3 Aug 2018 19:18:14 +0000 (19:18 +0000)
diff --git a/stack/hid/hidh_conn.cc b/stack/hid/hidh_conn.cc

index 1ab03b7..a41aa90 100644 (file)
--- a/stack/hid/hidh_conn.cc
+++ b/stack/hid/hidh_conn.cc
@@ -42,6 +42,7 @@
  #include "hidh_api.h"
  #include "hidh_int.h"
  
+#include "log/log.h"
  #include "osi/include/osi.h"
  
  static uint8_t find_conn_by_cid(uint16_t cid);
@@ -799,6 +800,14 @@ static void hidh_l2cif_data_ind(uint16_t l2cap_cid, BT_HDR* p_msg) {
      return;
    }
  
+  if (p_msg->len < 1) {
+    HIDH_TRACE_WARNING("Rcvd L2CAP data, invalid length %d, should be >= 1",
+                       p_msg->len);
+    osi_free(p_msg);
+    android_errorWriteLog(0x534e4554, "80493272");
+    return;
+  }
+
    ttype = HID_GET_TRANS_FROM_HDR(*p_data);
    param = HID_GET_PARAM_FROM_HDR(*p_data);
    rep_type = param & HID_PAR_REP_TYPE_MASK;
author	Hansong Zhang <hsz@google.com>
	Thu, 7 Jun 2018 21:25:09 +0000 (14:25 -0700)
committer	android-build-team Robot <android-build-team-robot@google.com>
	Fri, 3 Aug 2018 19:18:14 +0000 (19:18 +0000)