DO NOT MERGE Add bound check for rfc_parse_data

[android-x86/system-bt.git] / stack / rfcomm / rfc_ts_frames.c

diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c
index 739469f..e8a874a 100644 (file)
--- a/stack/rfcomm/rfc_ts_frames.c
+++ b/stack/rfcomm/rfc_ts_frames.c
@@ -30,6 +30,7 @@
 #include "l2c_api.h"
 #include "port_int.h"
 #include "rfc_int.h"
+#include "log/log.h"
 
 /*******************************************************************************
 **
@@ -555,7 +556,15 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
         return (RFC_EVENT_BAD_FRAME);
     }
     RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
-    RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
+    eal = *p_data & RFCOMM_EA;
+    len = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);
+    if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
+        len += (*p_data++ << RFCOMM_SHIFT_LENGTH2);
+    } else if (eal == 0) {
+        RFCOMM_TRACE_ERROR ("Bad Length when EAL = 0: %d", p_buf->len);
+        android_errorWriteLog(0x534e4554, "78288018");
+        return RFC_EVENT_BAD_FRAME;
+    }
 
     p_buf->len      -= (3 + !ead + !eal + 1);  /* Additional 1 for FCS */
     p_buf->offset   += (3 + !ead + !eal);