Check LE advertising data length before caching advertising records

Change-Id: Ib14ee8aa165b11002cdf82f86a1e547854c98347
diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index 286787e..7fe3c99 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -28,6 +28,8 @@
 #include <stdio.h>
 #include <stddef.h>
 
+#include <log/log.h>
+
 #include "bt_types.h"
 #include "bt_utils.h"
 #include "btm_ble_api.h"
@@ -2285,7 +2287,7 @@
 ** Returns          void
 **
 *******************************************************************************/
-void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
+BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
 {
     tBTM_BLE_INQ_CB     *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
     UINT8 *p_cache;
@@ -2305,8 +2307,16 @@
         STREAM_TO_UINT8(length, p);
         while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))
         {
+            /* adv record size must be smaller than the total adv data size */
+            if ((length + 1) > data_len) {
+                BTM_TRACE_ERROR("BTM - got incorrect LE advertising data");
+                android_errorWriteLog(0x534e4554, "33899337");
+                return FALSE;
+            }
             /* copy from the length byte & data into cache */
             memcpy(p_cache, p-1, length+1);
+            /* reduce the total data size by size of data copied */
+            data_len -= length + 1;
             /* advance the cache pointer past data */
             p_cache += length+1;
             /* increment cache length */
@@ -2316,6 +2326,7 @@
             STREAM_TO_UINT8(length, p);
         }
     }
+    return TRUE;
 
     /* parse service UUID from adv packet and save it in inq db eir_uuid */
     /* TODO */
@@ -2540,7 +2551,9 @@
         BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
         return FALSE;
     }
-    btm_ble_cache_adv_data(p_cur, data_len, p, evt_type);
+    if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
+        return FALSE;
+    }
 
     p1 = (p + data_len);
     STREAM_TO_UINT8 (rssi, p1);