From: Ugo Yu <ugoyu@google.com>
Date: Wed, 8 Aug 2018 08:09:58 +0000 (+0800)
Subject: Add packet length check in smp_proc_master_id
X-Git-Tag: android-x86-8.1-r1~2^2~2^2~2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=c9aba1b907c873a6ad4e2bea7fbf9873f5e4d4a2;p=android-x86%2Fsystem-bt.git

Add packet length check in smp_proc_master_id

Bug: 111937027
Test: manual

Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
---

diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 59045be06..8533f2d22 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -911,6 +911,14 @@ void smp_proc_master_id(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {
   tBTM_LE_PENC_KEYS le_key;
 
   SMP_TRACE_DEBUG("%s", __func__);
+
+  if (p_cb->rcvd_cmd_len < 11) {  // 1(Code) + 2(EDIV) + 8(Rand)
+    android_errorWriteLog(0x534e4554, "111937027");
+    SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
+                    __func__, p_cb->rcvd_cmd_len);
+    return;
+  }
+
   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
 
   STREAM_TO_UINT16(le_key.ediv, p);