ACL: Drop broadcasts am: 83c32e8e8c

author Myles Watson <mylesgw@google.com>

Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)

committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)
author Myles Watson <mylesgw@google.com>
Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)
diff --cc hci/src/packet_fragmenter.cc

index 143fc23,87d1df5..08de402
--- 1/hci/src/packet_fragmenter.cc
--- 2/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@@ -131,16 -135,17 +133,24 @@@ static void reassemble_and_dispatch(UNU
       CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
   
       uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
+     uint8_t broadcast_flag = GET_BROADCAST_FLAG(handle);
       handle = handle & HANDLE_MASK;
   
+     if (broadcast_flag != POINT_TO_POINT) {
+       LOG_WARN(LOG_TAG, "dropping broadcast packet");
+       android_errorWriteLog(0x534e4554, "169327567");
+       buffer_allocator->free(packet);
+       return;
+     }
+ 
       if (boundary_flag == START_PACKET_BOUNDARY) {
+ +      if (acl_length < 2) {
+ +        LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);
+ +        buffer_allocator->free(packet);
+ +        return;
+ +      }
+ +      uint16_t l2cap_length;
+ +      STREAM_TO_UINT16(l2cap_length, stream);
         auto map_iter = partial_packets.find(handle);
         if (map_iter != partial_packets.end()) {
           LOG_WARN(LOG_TAG,
author	Myles Watson <mylesgw@google.com>
	Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
	Fri, 6 Nov 2020 00:51:32 +0000 (00:51 +0000)