OSDN Git Service

DO NOT MERGE - Check SDU lower bound before allocate p_data
authorUgo Yu <ugoyu@google.com>
Mon, 17 Sep 2018 07:59:30 +0000 (15:59 +0800)
committerandroid-build-team Robot <android-build-team-robot@google.com>
Fri, 19 Oct 2018 16:33:08 +0000 (16:33 +0000)
Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)

stack/l2cap/l2c_fcr.cc

index 9c2742f..9030096 100644 (file)
@@ -842,6 +842,14 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) {
       return;
     }
 
+    if (sdu_length < p_buf->len) {
+      L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+      android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+      /* Discard the buffer */
+      osi_free(p_buf);
+      return;
+    }
+
     p_data = (BT_HDR*)osi_malloc(L2CAP_MAX_BUF_SIZE);
     if (p_data == NULL) {
       osi_free(p_buf);