L2CAP: Check length for packet before connection complete Bug: 141745011 Test: Run POC Change-Id: I9dc27521fa2e7f6ea345ec65dc9d3e873d71ef0f

commit: 7f0731f2c1838835ddd932c2449a0151153c08a1 [log] [tgz]
author: Hansong Zhang <hsz@google.com> Fri Oct 18 13:14:23 2019 -0700
committer: Hansong Zhang <hsz@google.com> Fri Oct 18 13:15:14 2019 -0700
tree: ebc8746b864a10591d8dd571387106292fa17448
parent: a7ee9536312e99c638d001dd98e11d90f84a21e7 [diff]
diff --git a/system/stack/l2cap/l2c_main.cc b/system/stack/l2cap/l2c_main.cc
index 128f60e..52d77c5 100644
--- a/system/stack/l2cap/l2c_main.cc
+++ b/system/stack/l2cap/l2c_main.cc

@@ -97,6 +97,11 @@
     /* There is a slight possibility (specifically with USB) that we get an */
     /* L2CAP connection request before we get the HCI connection complete.  */
     /* So for these types of messages, hold them for up to 2 seconds.       */
+    if (l2cap_len == 0) {
+      L2CAP_TRACE_WARNING("received empty L2CAP packet");
+      osi_free(p_msg);
+      return;
+    }
     uint8_t cmd_code;
     STREAM_TO_UINT8(cmd_code, p);
commit	7f0731f2c1838835ddd932c2449a0151153c08a1	[log] [tgz]
author	Hansong Zhang <hsz@google.com>	Fri Oct 18 13:14:23 2019 -0700
committer	Hansong Zhang <hsz@google.com>	Fri Oct 18 13:15:14 2019 -0700
tree	ebc8746b864a10591d8dd571387106292fa17448
parent	a7ee9536312e99c638d001dd98e11d90f84a21e7 [diff]