HCI: Check length of connection complete event

Fixes: 141619686
Test: Pair and connect
Change-Id: Ib15d6a8cbb8c6a7404bf1afa023277429029867d
(cherry picked from commit 7ee6458cf4939ad78dbebd70c2520ad56c31f4a9)

diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index c70448e..fd52da0 100644 (file)
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -68,7 +68,7 @@ static void btu_hcif_inquiry_result_evt(uint8_t* p);
 static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
 static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
 
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
 static void btu_hcif_connection_request_evt(uint8_t* p);
 static void btu_hcif_disconnection_comp_evt(uint8_t* p);
 static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -272,7 +272,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, BT_HDR* p_msg) {
       btu_hcif_extended_inquiry_result_evt(p);
       break;
     case HCI_CONNECTION_COMP_EVT:
-      btu_hcif_connection_comp_evt(p);
+      btu_hcif_connection_comp_evt(p, hci_evt_len);
       break;
     case HCI_CONNECTION_REQUEST_EVT:
       btu_hcif_connection_request_evt(p);
@@ -990,7 +990,7 @@ static void btu_hcif_extended_inquiry_result_evt(uint8_t* p) {
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
   uint8_t status;
   uint16_t handle;
   RawAddress bda;
@@ -998,6 +998,12 @@ static void btu_hcif_connection_comp_evt(uint8_t* p) {
   uint8_t enc_mode;
   tBTM_ESCO_DATA esco_data;
 
+  if (evt_len < 11) {
+    android_errorWriteLog(0x534e4554, "141619686");
+    HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+    return;
+  }
+
   STREAM_TO_UINT8(status, p);
   STREAM_TO_UINT16(handle, p);
   STREAM_TO_BDADDR(bda, p);