From 8a1add8a49ab0287333062d7aebf6ee8f4dd6ae3 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Thu, 7 Jun 2018 14:18:22 -0700
Subject: [PATCH 1/1] DO NOT MERGE HID Host: Check L2CAP packet data length

Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit 4344cfb76ad4c1c660d00a7b306acccde9bdef77)
---
 stack/hid/hidh_conn.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stack/hid/hidh_conn.c b/stack/hid/hidh_conn.c
index ffbafe428..39ba8bc56 100644
--- a/stack/hid/hidh_conn.c
+++ b/stack/hid/hidh_conn.c
@@ -29,6 +29,7 @@
 
 #include "bt_common.h"
 #include "bt_types.h"
+#include "log/log.h"
 
 #include "l2cdefs.h"
 #include "l2c_api.h"
@@ -820,6 +821,13 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg)
         return;
     }
 
+    if (p_msg->len < 1)
+    {
+        HIDH_TRACE_WARNING ("HID-Host Rcvd L2CAP data, invalid length");
+        osi_free(p_msg);
+        android_errorWriteLog(0x534e4554, "80493272");
+        return;
+    }
 
     ttype    = HID_GET_TRANS_FROM_HDR(*p_data);
     param    = HID_GET_PARAM_FROM_HDR(*p_data);
-- 
2.11.0