Add BT_HDR length check for received AVCTP packets

author Pavlin Radoslavov <pavlin@google.com>

Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)

committer android-build-team Robot <android-build-team-robot@google.com>

Fri, 10 Aug 2018 20:31:00 +0000 (20:31 +0000)
author Pavlin Radoslavov <pavlin@google.com>
Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)
committer android-build-team Robot <android-build-team-robot@google.com>
Fri, 10 Aug 2018 20:31:00 +0000 (20:31 +0000)
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc

index 70d8ce7..011a52d 100644 (file)
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -69,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) {
    uint8_t* p;
    uint8_t pkt_type;
  
+  if (p_buf->len == 0) {
+    osi_free_and_reset((void**)&p_buf);
+    android_errorWriteLog(0x534e4554, "79944113");
+    return nullptr;
+  }
+
    /* parse the message header */
    p = (uint8_t*)(p_buf + 1) + p_buf->offset;
    pkt_type = AVCT_PKT_TYPE(p);
author	Pavlin Radoslavov <pavlin@google.com>
	Thu, 31 May 2018 18:04:54 +0000 (11:04 -0700)
committer	android-build-team Robot <android-build-team-robot@google.com>
	Fri, 10 Aug 2018 20:31:00 +0000 (20:31 +0000)