From d01b391e9b81eef88e21744b5dbff9568f2fb427 Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Wed, 11 Apr 2018 16:04:51 -0700
Subject: [PATCH] DO NOT MERGE Add bounds check for BNEP_Write

Bug: 74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
CVE-2018-9357
---
 stack/bnep/bnep_api.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c
index 9a7b5d944..3e866d100 100644
--- a/stack/bnep/bnep_api.c
+++ b/stack/bnep/bnep_api.c
@@ -24,6 +24,7 @@
 
 #include <string.h>
 #include "bnep_api.h"
+#include <log/log.h>
 #include "bnep_int.h"
 
 
@@ -414,6 +415,10 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle,
             else
             {
                 new_len += 4;
+                if (new_len > org_len) {
+                  android_errorWriteLog(0x534e4554, "74947856");
+                  return BNEP_IGNORE_CMD;
+                }
                 p_data[2] = 0;
                 p_data[3] = 0;
             }
@@ -521,6 +526,10 @@ tBNEP_RESULT  BNEP_Write (UINT16 handle,
             else
             {
                 new_len += 4;
+                if (new_len > org_len) {
+                  android_errorWriteLog(0x534e4554, "74947856");
+                  return BNEP_IGNORE_CMD;
+                }
                 p_data[2] = 0;
                 p_data[3] = 0;
             }
-- 
2.11.0