commit d7aef1110816c190c97763fe040200fe6b337de8
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Sep 15 10:17:01 2022 +0000
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Thu Sep 15 10:17:01 2022 +0000
tree abb9a4deeb1ca1256f238643b9b4ebd544a15492
parent 2ca3a35989783f0f6c9ca72fb8e853081bc8aa3f
parent ef45ab91d1b45d79cbb9fb7ac30d82568b321721

Snap for 9068117 from ef45ab91d1b45d79cbb9fb7ac30d82568b321721 to mainline-neuralnetworks-release

Change-Id: I53b8859bf2d7b69c477fc8b99560665d0f3325a8

system/stack/avct/avct_lcb_act.cc

diff --git a/system/stack/avct/avct_lcb_act.cc b/system/stack/avct/avct_lcb_act.cc
index 6bbe9e6..fbbc1f1 100644
--- a/system/stack/avct/avct_lcb_act.cc
+++ b/system/stack/avct/avct_lcb_act.cc
@@ -68,7 +68,12 @@
   pkt_type = AVCT_PKT_TYPE(p);
 
   /* quick sanity check on length */
-  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {
+  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
+      (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {
+    if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
+        BT_DEFAULT_BUFFER_SIZE) {
+      android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
+    }
     osi_free(p_buf);
     AVCT_TRACE_WARNING("Bad length during reassembly");
     p_ret = NULL;

system/stack/bnep/bnep_api.cc

diff --git a/system/stack/bnep/bnep_api.cc b/system/stack/bnep/bnep_api.cc
index ec35dcc..fb2f947 100644
--- a/system/stack/bnep/bnep_api.cc
+++ b/system/stack/bnep/bnep_api.cc
@@ -263,6 +263,7 @@
     p = (uint8_t*)(p_bcb->p_pending_data + 1) + p_bcb->p_pending_data->offset;
     while (extension_present && p && rem_len) {
       ext_type = *p++;
+      rem_len--;
       extension_present = ext_type >> 7;
       ext_type &= 0x7F;