From 1d909399cb4259243dac2e531e3ce6ca1afa77e7 Mon Sep 17 00:00:00 2001
From: Pavlin Radoslavov <pavlin@google.com>
Date: Thu, 6 Jul 2017 16:58:24 -0700
Subject: [PATCH] Add a missing check for PAN buffer size before copying data

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
---
 bta/pan/bta_pan_act.cc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/bta/pan/bta_pan_act.cc b/bta/pan/bta_pan_act.cc
index ecc821254..c559993ac 100644
--- a/bta/pan/bta_pan_act.cc
+++ b/bta/pan/bta_pan_act.cc
@@ -28,6 +28,8 @@
 
 #include <string.h>
 
+#include <cutils/log.h>
+
 #include "bt_common.h"
 #include "bta_api.h"
 #include "bta_pan_api.h"
@@ -174,6 +176,14 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src,
 
   if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
     /* offset smaller than data structure in front of actual data */
+    if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+        PAN_BUF_SIZE) {
+      android_errorWriteLog(0x534e4554, "63146237");
+      APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+                       p_buf->len);
+      osi_free(p_buf);
+      return;
+    }
     p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
     memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
            (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);
-- 
2.11.0