Add a missing check for PAN buffer size before copying data

[android-x86/system-bt.git] / bta / pan / bta_pan_act.c

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index 1995478..f80dca1 100644 (file)
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -26,6 +26,8 @@
 
 #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
 
+#include <cutils/log.h>
+
 #include "bta_api.h"
 #include "bta_sys.h"
 #include "bt_common.h"
@@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
 
     if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
         /* offset smaller than data structure in front of actual data */
+        if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+            PAN_BUF_SIZE) {
+            android_errorWriteLog(0x534e4554, "63146237");
+            APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+                             p_buf->len);
+            osi_free(p_buf);
+            return;
+        }
         p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
         memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
                (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);