From 2da73209f213a24fe397eabadc914a432fc4edf7 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Thu, 7 Jun 2018 14:02:30 -0700
Subject: [PATCH] DO NOT MERGE HID Host: Check L2CAP packet data length

Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
---
 stack/hid/hidh_conn.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stack/hid/hidh_conn.c b/stack/hid/hidh_conn.c
index 0cc697619..c239fe7c5 100644
--- a/stack/hid/hidh_conn.c
+++ b/stack/hid/hidh_conn.c
@@ -29,6 +29,7 @@
 
 #include "gki.h"
 #include "bt_types.h"
+#include "log/log.h"
 
 #include "l2cdefs.h"
 #include "l2c_api.h"
@@ -801,6 +802,13 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
         return;
     }
 
+    if (p_msg->len < 1)
+    {
+        HIDH_TRACE_WARNING ("HID-Host Rcvd L2CAP data, invalid length");
+        GKI_freebuf (p_msg);
+        android_errorWriteLog(0x534e4554, "80493272");
+        return;
+    }
 
     ttype    = HID_GET_TRANS_FROM_HDR(*p_data);
     param    = HID_GET_PARAM_FROM_HDR(*p_data);
-- 
2.11.0