From 2feada4e3bb06d30fd857d64e9c8244f33ae8fcf Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Wed, 11 Apr 2018 16:04:51 -0700
Subject: [PATCH] DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
---
 stack/bnep/bnep_api.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/stack/bnep/bnep_api.cc b/stack/bnep/bnep_api.cc
index 923ce5093..e5d3c0948 100644
--- a/stack/bnep/bnep_api.cc
+++ b/stack/bnep/bnep_api.cc
@@ -23,6 +23,7 @@
  ******************************************************************************/
 
 #include "bnep_api.h"
+#include <log/log.h>
 #include <string.h>
 #include "bnep_int.h"
 
@@ -383,6 +384,10 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
         protocol = 0;
       else {
         new_len += 4;
+        if (new_len > org_len) {
+          android_errorWriteLog(0x534e4554, "74947856");
+          return BNEP_IGNORE_CMD;
+        }
         p_data[2] = 0;
         p_data[3] = 0;
       }
@@ -479,6 +484,10 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,
         protocol = 0;
       else {
         new_len += 4;
+        if (new_len > org_len) {
+          android_errorWriteLog(0x534e4554, "74947856");
+          return BNEP_IGNORE_CMD;
+        }
         p_data[2] = 0;
         p_data[3] = 0;
       }
-- 
2.11.0