Merge "Check remaining frame length in rfc_process_mx_message" into oc-dev am: ae8509...

author Hansong Zhang <hsz@google.com>

Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)

committer android-build-merger <android-build-merger@google.com>

Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)
author Hansong Zhang <hsz@google.com>
Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)
committer android-build-merger <android-build-merger@google.com>
Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)
diff --cc stack/rfcomm/rfc_ts_frames.cc

index 7f8656b,e3b4b8f..d253b40
--- 1/stack/rfcomm/rfc_ts_frames.cc
--- 2/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@@ -626,7 -619,16 +626,15 @@@ void rfc_process_mx_message(tRFC_MCB* p
     MX_FRAME* p_rx_frame = &rfc_cb.rfc.rx_frame;
     uint16_t length = p_buf->len;
     uint8_t ea, cr, mx_len;
- -  bool is_command;
   
+   if (length < 2) {
+     RFCOMM_TRACE_ERROR(
+         "%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2", __func__,
+         length);
+     android_errorWriteLog(0x534e4554, "111937065");
+     osi_free(p_buf);
+     return;
+   }
     p_rx_frame->ea = *p_data & RFCOMM_EA;
     p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
     p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
author	Hansong Zhang <hsz@google.com>
	Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)
committer	android-build-merger <android-build-merger@google.com>
	Fri, 10 Aug 2018 00:13:59 +0000 (17:13 -0700)