avrcp: Ignore AVCT commands that are too long
Bug: 177611958
Test: compilation
Tag: #security
Change-Id: If914b5928cdf16696eb54bfe91c2869cbbf8e36c
(cherry picked from commit dc07e927b1272be92095a47634dce0ba3b44b4fd)
diff --git a/stack/avrc/avrc_api.cc b/stack/avrc/avrc_api.cc
index 1ac856a..579aae5 100644
--- a/stack/avrc/avrc_api.cc
+++ b/stack/avrc/avrc_api.cc
@@ -634,9 +634,10 @@
tAVRC_MSG_VENDOR* p_msg = &msg.vendor;
if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&
- AVRC_PACKET_LEN < sizeof(p_pkt->len))) {
- /* Ignore the invalid AV/C command frame */
- p_drop_msg = "dropped - too long AV/C cmd frame size";
+ p_pkt->len > AVRC_PACKET_LEN)) {
+ android_errorWriteLog(0x534e4554, "177611958");
+ AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",
+ __func__, p_pkt->len, AVRC_PACKET_LEN);
osi_free(p_pkt);
return;
}
