HH: Check parameter length in bta_hh_ctrl_dat_act

Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c

diff --git a/bta/hh/bta_hh_act.cc b/bta/hh/bta_hh_act.cc
index 4d85437..a7bdc9c 100644 (file)
--- a/bta/hh/bta_hh_act.cc
+++ b/bta/hh/bta_hh_act.cc
@@ -26,6 +26,7 @@
 
 #if (BTA_HH_INCLUDED == TRUE)
 
+#include <log/log.h>
 #include <string.h>
 
 #include "bta_hh_co.h"
@@ -717,6 +718,12 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, tBTA_HH_DATA* p_data) {
   APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
                    bta_hh_get_w4_event(p_cb->w4_evt));
 #endif
+  if (pdata->len == 0) {
+    android_errorWriteLog(0x534e4554, "116108738");
+    p_cb->w4_evt = 0;
+    osi_free_and_reset((void**)&pdata);
+    return;
+  }
   hs_data.status = BTA_HH_OK;
   hs_data.handle = p_cb->hid_handle;