DO NOT MERGE - Check SDU lower bound before allocate p_data Bug: 112321180 Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d (cherry picked from commit 6fc96f847be808a4f38eae45b5e9bbc3f18b9a2d)

commit: 02fc52878d8dba16b860fbdf415b6e4425922b2c [log] [tgz]
author: Ugo Yu <ugoyu@google.com> Mon Sep 17 15:59:30 2018 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> Fri Oct 19 16:24:17 2018 +0000
tree: 4d22447c5a62d8002f539b58513d826c01b89d13
parent: 55343c265a2e94f855f4c7a882063673040a2a86 [diff]
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index 9c2742f..9030096 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc

@@ -842,6 +842,14 @@
       return;
     }
 
+    if (sdu_length < p_buf->len) {
+      L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+      android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+      /* Discard the buffer */
+      osi_free(p_buf);
+      return;
+    }
+
     p_data = (BT_HDR*)osi_malloc(L2CAP_MAX_BUF_SIZE);
     if (p_data == NULL) {
       osi_free(p_buf);
commit	02fc52878d8dba16b860fbdf415b6e4425922b2c	[log] [tgz]
author	Ugo Yu <ugoyu@google.com>	Mon Sep 17 15:59:30 2018 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Fri Oct 19 16:24:17 2018 +0000
tree	4d22447c5a62d8002f539b58513d826c01b89d13
parent	55343c265a2e94f855f4c7a882063673040a2a86 [diff]