RFCOMM: Check flow control length

author Myles Watson <mylesgw@google.com>

Wed, 5 Dec 2018 18:26:27 +0000 (10:26 -0800)

committer Myles Watson <mylesgw@google.com>

Thu, 6 Dec 2018 21:46:56 +0000 (13:46 -0800)
author Myles Watson <mylesgw@google.com>
Wed, 5 Dec 2018 18:26:27 +0000 (10:26 -0800)
committer Myles Watson <mylesgw@google.com>
Thu, 6 Dec 2018 21:46:56 +0000 (13:46 -0800)
diff --git a/stack/rfcomm/rfc_ts_frames.cc b/stack/rfcomm/rfc_ts_frames.cc

index d253b40..b8a0726 100644 (file)
--- a/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@ -539,6 +539,10 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
    /* handle credit if credit based flow control */
    if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&
        (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1)) {
+    if (p_buf->len < sizeof(uint8_t)) {
+      RFCOMM_TRACE_ERROR("Bad Length in flow control: %d", p_buf->len);
+      return RFC_EVENT_BAD_FRAME;
+    }
      p_frame->credit = *p_data++;
      p_buf->len--;
      p_buf->offset++;
author	Myles Watson <mylesgw@google.com>
	Wed, 5 Dec 2018 18:26:27 +0000 (10:26 -0800)
committer	Myles Watson <mylesgw@google.com>
	Thu, 6 Dec 2018 21:46:56 +0000 (13:46 -0800)