From b910734a55fd3babf71b049d5638bf86f81d7c1e Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Thu, 11 Jan 2018 14:20:26 -0800
Subject: [PATCH] BNEP: Check received frame type

Bug: 68818034
Test: build
Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019
---
 stack/bnep/bnep_main.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index 17d35eb88..19d807805 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc
@@ -451,6 +451,12 @@ static void bnep_data_ind(uint16_t l2cap_cid, BT_HDR* p_buf) {
   type = *p++;
   extension_present = type >> 7;
   type &= 0x7f;
+  if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+    BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+    android_errorWriteLog(0x534e4554, "68818034");
+    osi_free(p_buf);
+    return;
+  }
   if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) {
     BNEP_TRACE_EVENT("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len,
                      type);
-- 
2.11.0