DO NOT MERGE btif: check overflow on create_pbuf size

author Marie Janssen <jamuraa@google.com>

Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)

committer Marie Janssen <jamuraa@google.com>

Fri, 13 May 2016 19:07:52 +0000 (12:07 -0700)
author Marie Janssen <jamuraa@google.com>
Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)
committer Marie Janssen <jamuraa@google.com>
Fri, 13 May 2016 19:07:52 +0000 (12:07 -0700)
diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c

index 3b9220a..d0aaf26 100644 (file)
--- a/btif/src/btif_hh.c
+++ b/btif/src/btif_hh.c
@@ -33,6 +33,8 @@
  
  #define LOG_TAG "bt_btif_hh"
  
+#include <cutils/log.h>
+
  #include "bta_api.h"
  #include "bta_hh_api.h"
  #include "btif_storage.h"
@@ -254,7 +256,12 @@ static void toggle_os_keylockstates(int fd, int changedlockstates)
  *******************************************************************************/
  static BT_HDR *create_pbuf(UINT16 len, UINT8 *data)
  {
-    BT_HDR* p_buf = GKI_getbuf((UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR)));
+    UINT16 buflen = (UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR));
+    if (buflen < len) {
+      android_errorWriteWithInfoLog(0x534e4554, "28672558", -1, NULL, 0);
+      return NULL;
+    }
+    BT_HDR* p_buf = GKI_getbuf(buflen);
  
      if (p_buf) {
          UINT8* pbuf_data;
author	Marie Janssen <jamuraa@google.com>
	Thu, 12 May 2016 22:30:16 +0000 (15:30 -0700)
committer	Marie Janssen <jamuraa@google.com>
	Fri, 13 May 2016 19:07:52 +0000 (12:07 -0700)