From: Hansong Zhang <hsz@google.com>
Date: Thu, 12 Apr 2018 19:23:36 +0000 (-0700)
Subject: DO NOT MERGE Add bounds check for BNEP_Write
X-Git-Tag: android-x86-9.0-r1~71^2^2^2^2^2~8^2^2^2~5^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=769aeaaf444e08bad9d4e902242a3b8a1765202d;p=android-x86%2Fsystem-bt.git

DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: I19d9dee53b9cac800c66becef4861e4ad9602bdf
---

diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index 9a7b5d944..177d92f12 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -25,6 +25,7 @@
 #include <string.h>
 #include "bnep_api.h"
 #include "bnep_int.h"
+#include "log/log.h"
 
 
 extern fixed_queue_t *btu_general_alarm_queue;
@@ -414,6 +415,10 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
             else
             {
                 new_len += 4;
+                if (new_len > org_len) {
+                    android_errorWriteLog(0x534e4554, "74947856");
+                    return BNEP_IGNORE_CMD;
+                }
                 p_data[2] = 0;
                 p_data[3] = 0;
             }
@@ -521,6 +526,10 @@ tBNEP_RESULT  BNEP_Write (UINT16 handle,
             else
             {
                 new_len += 4;
+                if (new_len > org_len) {
+                    android_errorWriteLog(0x534e4554, "74947856");
+                    return BNEP_IGNORE_CMD;
+                }
                 p_data[2] = 0;
                 p_data[3] = 0;
             }