Check device name length

BT spec limits the length of device name to 248 bytes. With the new
LE advertising packets, that can go up to 1650 bytes long, we must check
the length of device name received.

Bug: 37671082
Test: manual
Change-Id: Iad309d638003c2391014c9764605d84ed5717cb1
(cherry picked from commit 3a4e7622ff07772a512052c23cada59f5830941f)

diff --git a/btif/src/btif_ble_scanner.cc b/btif/src/btif_ble_scanner.cc
index c23c751..4d87c7b 100644 (file)
--- a/btif/src/btif_ble_scanner.cc
+++ b/btif/src/btif_ble_scanner.cc
@@ -160,9 +160,19 @@ void bta_scan_results_cb_impl(bt_bdaddr_t bd_addr, tBT_DEVICE_TYPE device_type,
       btif_gattc_add_remote_bdaddr(bd_addr.address, addr_type);
 
       if (p_eir_remote_name) {
+        if (remote_name_len > BD_NAME_LEN + 1 ||
+            (remote_name_len == BD_NAME_LEN + 1 &&
+             p_eir_remote_name[BD_NAME_LEN] != '\0')) {
+          LOG_INFO(LOG_TAG,
+                   "%s dropping invalid packet - device name too long: %d",
+                   __func__, remote_name_len);
+          return;
+        }
+
         bt_bdname_t bdname;
         memcpy(bdname.name, p_eir_remote_name, remote_name_len);
-        bdname.name[remote_name_len] = '\0';
+        if (remote_name_len < BD_NAME_LEN + 1)
+          bdname.name[remote_name_len] = '\0';
 
         LOG_VERBOSE(LOG_TAG, "%s BLE device name=%s len=%d dev_type=%d",
                     __func__, bdname.name, remote_name_len, device_type);