Check the HCI length before extracting the L2CAP length and CID

Bug: 34946955
Test: A2DP streaming to a headset
Change-Id: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit ecc0835114cbae3033d8b0e25bd8b443880d5077)
(cherry picked from commit 33c68c82c1a9c2436d203250ab82f5361ff905b7)
(cherry picked from commit a4c029c7887d0df70c0d6a884a861eb63d827603)

diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 3adfab5..acb2d4f 100644 (file)
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -28,6 +28,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <log/log.h>
+
 #include "bt_common.h"
 #include "bt_target.h"
 #include "btm_int.h"
@@ -130,6 +132,13 @@ void l2c_rcv_acl_data(BT_HDR* p_msg) {
   STREAM_TO_UINT16(hci_len, p);
   p_msg->offset += 4;
 
+  if (hci_len < L2CAP_PKT_OVERHEAD) {
+    /* Must receive at least the L2CAP length and CID */
+    L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");
+    osi_free(p_msg);
+    return;
+  }
+
   /* Extract the length and CID */
   STREAM_TO_UINT16(l2cap_len, p);
   STREAM_TO_UINT16(rcv_cid, p);
@@ -152,16 +161,8 @@ void l2c_rcv_acl_data(BT_HDR* p_msg) {
     }
   }
 
-  if (hci_len >=
-      L2CAP_PKT_OVERHEAD) /* Must receive at least the L2CAP length and CID.*/
-  {
-    p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
-    p_msg->offset += L2CAP_PKT_OVERHEAD;
-  } else {
-    L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");
-    osi_free(p_msg);
-    return;
-  }
+  p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;
+  p_msg->offset += L2CAP_PKT_OVERHEAD;
 
   if (l2cap_len != p_msg->len) {
     L2CAP_TRACE_WARNING("L2CAP - bad length in pkt. Exp: %d  Act: %d",