Prevent Out of bounds read in llcp_dlc
Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 116722267
Merged-In: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
Change-Id: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
(cherry picked from commit d127969d21627579b7c715c88cc516824bd4f462)
diff --git a/src/nfc/llcp/llcp_dlc.c b/src/nfc/llcp/llcp_dlc.c
index 95bcac5..bc4910e 100644
--- a/src/nfc/llcp/llcp_dlc.c
+++ b/src/nfc/llcp/llcp_dlc.c
@@ -23,6 +23,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "gki.h"
#include "nfc_target.h"
@@ -883,6 +884,15 @@
p_i_pdu = (UINT8 *) (p_msg + 1) + p_msg->offset;
}
+ if (i_pdu_length < LLCP_PDU_HEADER_SIZE + LLCP_SEQUENCE_SIZE) {
+ android_errorWriteLog(0x534e4554, "116722267");
+ LLCP_TRACE_ERROR1 ("Insufficient I PDU length %d", i_pdu_length);
+ if (p_msg) {
+ GKI_freebuf(p_msg);
+ }
+ return;
+ }
+
info_len = i_pdu_length - LLCP_PDU_HEADER_SIZE - LLCP_SEQUENCE_SIZE;
if (info_len > p_dlcb->local_miu)