process_l2cap_cmd: Fix OOB

Bug: 119870451
Test: POC
Change-Id: I2f5e7fedd9aed96c4ffc55af79fdac61c2e5b087
Merged-In: I5131bbf9cda6248fdbbc4bb91916b2fe3731246e
(cherry picked from commit 94fd011bc9a72081cc691ed7d6e6eec42e9f4539)
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 1f3fb8f..f914083 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -471,7 +471,11 @@
           switch (cfg_code & 0x7F) {
             case L2CAP_CFG_TYPE_MTU:
               cfg_info.mtu_present = true;
-              if (p + 2 > p_next_cmd) {
+              if (cfg_len != 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -480,7 +484,11 @@
 
             case L2CAP_CFG_TYPE_FLUSH_TOUT:
               cfg_info.flush_to_present = true;
-              if (p + 2 > p_next_cmd) {
+              if (cfg_len != 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -489,7 +497,11 @@
 
             case L2CAP_CFG_TYPE_QOS:
               cfg_info.qos_present = true;
-              if (p + 2 + 5 * 4 > p_next_cmd) {
+              if (cfg_len != 2 + 5 * 4) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -504,7 +516,11 @@
 
             case L2CAP_CFG_TYPE_FCR:
               cfg_info.fcr_present = true;
-              if (p + 3 + 3 * 2 > p_next_cmd) {
+              if (cfg_len != 3 + 3 * 2) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -518,7 +534,11 @@
 
             case L2CAP_CFG_TYPE_FCS:
               cfg_info.fcs_present = true;
-              if (p + 1 > p_next_cmd) {
+              if (cfg_len != 1) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
@@ -527,7 +547,11 @@
 
             case L2CAP_CFG_TYPE_EXT_FLOW:
               cfg_info.ext_flow_spec_present = true;
-              if (p + 2 + 2 + 3 * 4 > p_next_cmd) {
+              if (cfg_len != 2 + 2 + 3 * 4) {
+                android_errorWriteLog(0x534e4554, "119870451");
+                return;
+              }
+              if (p + cfg_len > p_next_cmd) {
                 android_errorWriteLog(0x534e4554, "74202041");
                 return;
               }
diff --git a/stack/l2cap/l2c_utils.cc b/stack/l2cap/l2c_utils.cc
index f07f4e3..943b72c 100644
--- a/stack/l2cap/l2c_utils.cc
+++ b/stack/l2cap/l2c_utils.cc
@@ -804,6 +804,9 @@
       case L2CAP_CFG_TYPE_MTU:
       case L2CAP_CFG_TYPE_FLUSH_TOUT:
       case L2CAP_CFG_TYPE_QOS:
+      case L2CAP_CFG_TYPE_FCR:
+      case L2CAP_CFG_TYPE_FCS:
+      case L2CAP_CFG_TYPE_EXT_FLOW:
         p_data += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
         break;