From a9c3c6dfb35a6e15c5f83ff5047da54173a4fefd Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Thu, 11 Jan 2018 14:20:26 -0800
Subject: [PATCH] BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
(cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e)
(cherry picked from commit ae12fc48fa6c7a114234afa055ab1cd630d6da8d)
---
 stack/bnep/bnep_main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index d9dc116bf..affd8ddab 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c
@@ -496,6 +496,12 @@ static void bnep_data_ind (UINT16 l2cap_cid, BT_HDR *p_buf)
     type = *p++;
     extension_present = type >> 7;
     type &= 0x7f;
+    if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+        BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+        android_errorWriteLog(0x534e4554, "68818034");
+        osi_free(p_buf);
+        return;
+    }
     if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE))
     {
         BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len, type);
-- 
2.11.0