Security fix for potential OOB read in L2CAP
Bug: 212694559
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security fix
Change-Id: I6b5580a48295911f41e131e2328a3e284daeb68f
(cherry picked from commit 4775e3d04e62bf22fd2552cd271599f65fc06a3e)
Merged-In:I6b5580a48295911f41e131e2328a3e284daeb68f
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index b826dc1..16454a5 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -811,6 +811,11 @@
case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: {
uint16_t result;
+ if (p + sizeof(uint16_t) > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "212694559");
+ LOG(ERROR) << "invalid read";
+ return;
+ }
STREAM_TO_UINT16(result, p);
L2CAP_TRACE_DEBUG(