Prevent Out of bounds read in llcp_dlc Test: Nfc Enable/Disable; Android Beam; Tag reading Bug: 116722267 Merged-In: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6 Change-Id: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6 (cherry picked from commit d127969d21627579b7c715c88cc516824bd4f462)

commit: bdbbff54adf9b66fbb86c9bcec0a7259207549d6 [log] [tgz]
author: George Chang <georgekgchang@google.com> Fri Oct 19 18:13:05 2018 +0800
committer: Rohit Yengisetty <rngy@google.com> Mon Nov 05 13:52:51 2018 -0800
tree: f5a643f676ba340ff5ddfd6366640742ea38bc4a
parent: a74298061cc5262991e783e6235c7a695b3325ff [diff]
diff --git a/src/nfc/llcp/llcp_dlc.c b/src/nfc/llcp/llcp_dlc.c
index 95bcac5..bc4910e 100644
--- a/src/nfc/llcp/llcp_dlc.c
+++ b/src/nfc/llcp/llcp_dlc.c

@@ -23,6 +23,7 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
 #include "gki.h"
 #include "nfc_target.h"
@@ -883,6 +884,15 @@
             p_i_pdu = (UINT8 *) (p_msg + 1) + p_msg->offset;
         }
 
+        if (i_pdu_length < LLCP_PDU_HEADER_SIZE + LLCP_SEQUENCE_SIZE) {
+          android_errorWriteLog(0x534e4554, "116722267");
+          LLCP_TRACE_ERROR1 ("Insufficient I PDU length %d", i_pdu_length);
+          if (p_msg) {
+            GKI_freebuf(p_msg);
+          }
+          return;
+        }
+
         info_len = i_pdu_length - LLCP_PDU_HEADER_SIZE - LLCP_SEQUENCE_SIZE;
 
         if (info_len > p_dlcb->local_miu)
commit	bdbbff54adf9b66fbb86c9bcec0a7259207549d6	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Fri Oct 19 18:13:05 2018 +0800
committer	Rohit Yengisetty <rngy@google.com>	Mon Nov 05 13:52:51 2018 -0800
tree	f5a643f676ba340ff5ddfd6366640742ea38bc4a
parent	a74298061cc5262991e783e6235c7a695b3325ff [diff]