Add checks whether the AVDTP element data length is valid
Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
(cherry picked from commit e192c988cbe6c0593f23e6d8e2701b459e8d895c)
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
index adc1ae7..9697a59 100644
--- a/stack/avdt/avdt_msg.c
+++ b/stack/avdt/avdt_msg.c
@@ -26,6 +26,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "bt_types.h"
#include "bt_target.h"
@@ -673,6 +674,11 @@
case AVDT_CAT_PROTECT:
p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;
+ if (p + elem_len > p_end) {
+ err = AVDT_ERR_LENGTH;
+ android_errorWriteLog(0x534e4554, "78288378");
+ break;
+ }
if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE)
{
p_cfg->num_protect++;
@@ -747,6 +753,11 @@
{
tmp = AVDT_CODEC_SIZE - 1;
}
+ if (p + tmp > p_end) {
+ err = AVDT_ERR_LENGTH;
+ android_errorWriteLog(0x534e4554, "78288378");
+ break;
+ }
p_cfg->num_codec++;
p_cfg->codec_info[0] = elem_len;
memcpy(&p_cfg->codec_info[1], p, tmp);