Check L2CAP size only for start packet

Bug: 124071248
Test: manual
Change-Id: I1d79ee77b344dd3d17d3705e6eef0a72e13f35f1

diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
index ef04d08..5036ed5 100644 (file)
--- a/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@ -123,17 +123,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
   if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {
     uint8_t* stream = packet->data;
     uint16_t handle;
-    uint16_t l2cap_length;
     uint16_t acl_length;
 
-    if (packet->len < 6) {
-      LOG_WARN(LOG_TAG, "%s invalid packet length %d", __func__, packet->len);
-      return;
-    }
-
     STREAM_TO_UINT16(handle, stream);
     STREAM_TO_UINT16(acl_length, stream);
-    STREAM_TO_UINT16(l2cap_length, stream);
 
     CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
 
@@ -141,6 +134,13 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) {
     handle = handle & HANDLE_MASK;
 
     if (boundary_flag == START_PACKET_BOUNDARY) {
+      if (acl_length < 2) {
+        LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);
+        buffer_allocator->free(packet);
+        return;
+      }
+      uint16_t l2cap_length;
+      STREAM_TO_UINT16(l2cap_length, stream);
       auto map_iter = partial_packets.find(handle);
       if (map_iter != partial_packets.end()) {
         LOG_WARN(LOG_TAG,