DO NOT MERGE - Check SDU lower bound before allocate p_data
Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index 9c2742f..9030096 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -842,6 +842,14 @@
return;
}
+ if (sdu_length < p_buf->len) {
+ L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+ android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+ /* Discard the buffer */
+ osi_free(p_buf);
+ return;
+ }
+
p_data = (BT_HDR*)osi_malloc(L2CAP_MAX_BUF_SIZE);
if (p_data == NULL) {
osi_free(p_buf);