From 9ca8d0e813ab68631dfa09020b4674dfbdce7d28 Mon Sep 17 00:00:00 2001
From: Chienyuan <chienyuanhuang@google.com>
Date: Tue, 22 Jan 2019 19:35:03 +0800
Subject: [PATCH] Fix OOB in hidd_l2cif_data_ind

Bug: 109753657
Test: manual
Change-Id: I3bcd369dc34df926f88345c83f10a96ec6566882
---
 stack/hid/hidd_conn.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stack/hid/hidd_conn.cc b/stack/hid/hidd_conn.cc
index 8786f90f3..55ec3b283 100644
--- a/stack/hid/hidd_conn.cc
+++ b/stack/hid/hidd_conn.cc
@@ -614,6 +614,12 @@ static void hidd_l2cif_data_ind(uint16_t cid, BT_HDR* p_msg) {
 
   HIDD_TRACE_EVENT("%s: cid=%04x", __func__, cid);
 
+  if (p_msg->len < 1) {
+    HIDD_TRACE_ERROR("Invalid data length, ignore");
+    osi_free(p_msg);
+    return;
+  }
+
   p_hcon = &hd_cb.device.conn;
 
   if (p_hcon->conn_state == HID_CONN_STATE_UNUSED ||
-- 
2.11.0