From b1f6523591ce4bef1603c85c9c02627b010d4d67 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Wed, 8 Aug 2018 11:31:28 -0700
Subject: [PATCH] Check remaining frame length in rfc_process_mx_message

Bug: 111936792
Bug: 80432928
Test: manual
Change-Id: Ie2c09f3d598fb230ce060c9043f5a88c241cdd79
(cherry picked from commit 0471355c8b035aaa2ce07a33eecad60ad49c5ad0)
---
 stack/rfcomm/rfc_ts_frames.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c
index 739469f64..fdc7253a8 100644
--- a/stack/rfcomm/rfc_ts_frames.c
+++ b/stack/rfcomm/rfc_ts_frames.c
@@ -22,6 +22,9 @@
  *
  ******************************************************************************/
 
+#define LOG_TAG "rfc_ts_frames"
+#include "osi/include/log.h"
+
 #include <stddef.h>
 #include "bt_target.h"
 #include "bt_common.h"
@@ -670,6 +673,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
     UINT8        ea, cr, mx_len;
     BOOLEAN      is_command;
 
+    if (length < 2)
+    {
+        RFCOMM_TRACE_ERROR("%s: Illegal MX Frame len when reading EA, C/R. len:%d < 2",
+                           __func__, length);
+        LOG_ERROR(LOG_TAG, "111937065");
+        osi_free(p_buf);
+        return;
+    }
     p_rx_frame->ea   = *p_data & RFCOMM_EA;
     p_rx_frame->cr   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
     p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
@@ -692,6 +703,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
 
     if (!ea)
     {
+        if (length < 1)
+        {
+            RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0. len:%d < 1",
+                               __func__, length);
+            LOG_ERROR(LOG_TAG, "111937065");
+            osi_free(p_buf);
+            return;
+        }
         mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
         length --;
     }
@@ -768,6 +787,14 @@ void rfc_process_mx_message (tRFC_MCB *p_mcb, BT_HDR *p_buf)
         return;
 
     case RFCOMM_MX_MSC:
+        if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
+            length != RFCOMM_MX_MSC_LEN_NO_BREAK)
+        {
+            RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__, length);
+            LOG_ERROR(LOG_TAG, "111937065");
+            osi_free(p_buf);
+            return;
+        }
 
         ea                   = *p_data & RFCOMM_EA;
         cr                   = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
-- 
2.11.0