DO NOT MERGE: Add packet length checks in mca_ccb_hdl_req

author Cheney Ni <cheneyni@google.com>

Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)

committer Ryan Longair <rlongair@google.com>

Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)
author Cheney Ni <cheneyni@google.com>
Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)
committer Ryan Longair <rlongair@google.com>
Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)
diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c

index 483169a..8b6c8d9 100644 (file)
--- a/stack/mcap/mca_cact.c
+++ b/stack/mcap/mca_cact.c
@@ -22,6 +22,7 @@
   *  Functions.
   *
   ******************************************************************************/
+#include <log/log.h>
  #include <string.h>
  #include "bt_target.h"
  #include "bt_utils.h"
@@ -269,9 +270,15 @@ void mca_ccb_hdl_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
      p_rx_msg = (tMCA_CCB_MSG *)p_pkt;
      p = (UINT8 *)(p_pkt + 1) + p_pkt->offset;
      evt_data.hdr.op_code = *p++;
-    BE_STREAM_TO_UINT16 (evt_data.hdr.mdl_id, p);
      reject_opcode = evt_data.hdr.op_code+1;
  
+    if (p_pkt->len >= 3) {
+        BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
+    } else {
+        android_errorWriteLog(0x534e4554, "110791536");
+        evt_data.hdr.mdl_id = 0;
+    }
+
      MCA_TRACE_DEBUG ("received mdl id: %d ", evt_data.hdr.mdl_id);
      if (p_ccb->status == MCA_CCB_STAT_PENDING)
      {
author	Cheney Ni <cheneyni@google.com>
	Tue, 7 Aug 2018 13:32:07 +0000 (21:32 +0800)
committer	Ryan Longair <rlongair@google.com>
	Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)