Security fix for potential OOB read in L2CAP Bug: 212694559 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security fix Change-Id: I6b5580a48295911f41e131e2328a3e284daeb68f (cherry picked from commit 4775e3d04e62bf22fd2552cd271599f65fc06a3e) Merged-In:I6b5580a48295911f41e131e2328a3e284daeb68f

commit: 1e38a411e70f7f9fa6b78e4e75479e818f20e401 [log] [tgz]
author: Chris Manton <cmanton@google.com> Mon Feb 07 17:39:06 2022 -0800
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Mon Feb 14 23:13:22 2022 +0000
tree: d5d838623bb865fcf9bc10deeab2f04f7535bc0e
parent: f8f00629d484c70309df83210afeaee321654587 [diff]
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index b826dc1..16454a5 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc

@@ -811,6 +811,11 @@
 
     case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
       uint16_t result;
+      if (p + sizeof(uint16_t) > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "212694559");
+        LOG(ERROR) << "invalid read";
+        return;
+      }
       STREAM_TO_UINT16(result, p);
 
       L2CAP_TRACE_DEBUG(
commit	1e38a411e70f7f9fa6b78e4e75479e818f20e401	[log] [tgz]
author	Chris Manton <cmanton@google.com>	Mon Feb 07 17:39:06 2022 -0800
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Mon Feb 14 23:13:22 2022 +0000
tree	d5d838623bb865fcf9bc10deeab2f04f7535bc0e
parent	f8f00629d484c70309df83210afeaee321654587 [diff]