From: Myles Watson <mylesgw@google.com>
Date: Wed, 5 Dec 2018 18:26:27 +0000 (-0800)
Subject: RFCOMM: Check flow control length
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=be7c4f5430b0efd9d798a1cfd01edb243c35d61a;p=android-x86%2Fsystem-bt.git

RFCOMM: Check flow control length

Change-Id: Iee6392d1d93dc57e28c54fffff80e9f38286d863
Fixes: 120276962
Test: Send a flow control packet with length 3
---

diff --git a/stack/rfcomm/rfc_ts_frames.cc b/stack/rfcomm/rfc_ts_frames.cc
index d253b4027..b8a072614 100644
--- a/stack/rfcomm/rfc_ts_frames.cc
+++ b/stack/rfcomm/rfc_ts_frames.cc
@@ -539,6 +539,10 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
   /* handle credit if credit based flow control */
   if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&
       (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1)) {
+    if (p_buf->len < sizeof(uint8_t)) {
+      RFCOMM_TRACE_ERROR("Bad Length in flow control: %d", p_buf->len);
+      return RFC_EVENT_BAD_FRAME;
+    }
     p_frame->credit = *p_data++;
     p_buf->len--;
     p_buf->offset++;