BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 0eda144..ad1f59f 100644 (file)
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -496,6 +496,12 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     type = *p++;
     extension_present = type >> 7;
     type &= 0x7f;
+    if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+        BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+        android_errorWriteLog(0x534e4554, "68818034");
+        osi_free(p_buf);
+        return;
+    }
     if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE))
     {
         BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len, type);