DO NOT MERGE btif: check overflow on create_pbuf size

author Marie Janssen <jamuraa@google.com>

Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)

committer Gerrit - the friendly Code Review server <code-review@localhost>

Tue, 13 Dec 2016 07:25:29 +0000 (23:25 -0800)
author Marie Janssen <jamuraa@google.com>
Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)
committer Gerrit - the friendly Code Review server <code-review@localhost>
Tue, 13 Dec 2016 07:25:29 +0000 (23:25 -0800)
diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c

index a4057cc..1799b3c 100644 (file)
--- a/btif/src/btif_hh.c
+++ b/btif/src/btif_hh.c
@@ -36,6 +36,8 @@
  #include <string.h>
  #include <unistd.h>
  
+#include <cutils/log.h>
+
  #include "bta_api.h"
  #include "btif_common.h"
  #include "btif_storage.h"
@@ -247,7 +249,12 @@ static void toggle_os_keylockstates(int fd, int changedlockstates)
  *******************************************************************************/
  static BT_HDR *create_pbuf(UINT16 len, UINT8 *data)
  {
-    BT_HDR* p_buf = osi_malloc(len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    UINT16 buflen = (UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    if (buflen < len) {
+      android_errorWriteWithInfoLog(0x534e4554, "28672558", -1, NULL, 0);
+      return NULL;
+    }
+    BT_HDR* p_buf = osi_malloc(buflen);
      UINT8* pbuf_data;
  
      p_buf->len = len;
author	Marie Janssen <jamuraa@google.com>
	Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)
committer	Gerrit - the friendly Code Review server <code-review@localhost>
	Tue, 13 Dec 2016 07:25:29 +0000 (23:25 -0800)