Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ

author Ajay Panicker <apanicke@google.com>

Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)

committer android-build-team Robot <android-build-team-robot@google.com>

Fri, 10 Aug 2018 20:30:31 +0000 (20:30 +0000)
author Ajay Panicker <apanicke@google.com>
Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)
committer android-build-team Robot <android-build-team-robot@google.com>
Fri, 10 Aug 2018 20:30:31 +0000 (20:30 +0000)
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc

index 6c7820f..17ce2d3 100644 (file)
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -33,6 +33,7 @@
  #include "hcimsgs.h"
  #include "l2c_int.h"
  #include "l2cdefs.h"
+#include "log/log.h"
  #include "osi/include/osi.h"
  #include "stack_config.h"
  
@@ -788,6 +789,10 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
        break;
  
      case L2CAP_CMD_DISC_REQ:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "74121659");
+        return;
+      }
        STREAM_TO_UINT16(lcid, p);
        STREAM_TO_UINT16(rcid, p);
author	Ajay Panicker <apanicke@google.com>
	Fri, 13 Apr 2018 00:03:09 +0000 (17:03 -0700)
committer	android-build-team Robot <android-build-team-robot@google.com>
	Fri, 10 Aug 2018 20:30:31 +0000 (20:30 +0000)