Add packet length checks in l2cble_process_sig_cmd
Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c
index a5cfb4d..74fba02 100644
--- a/stack/l2cap/l2c_ble.c
+++ b/stack/l2cap/l2c_ble.c
@@ -31,6 +31,7 @@
#include "btm_int.h"
#include "hcimsgs.h"
#include "device/include/controller.h"
+#include "log/log.h"
#if (BLE_INCLUDED == TRUE)
static void l2cble_start_conn_update (tL2C_LCB *p_lcb);
@@ -601,6 +602,13 @@
p_pkt_end = p + pkt_len;
+ if (p + 4 > p_pkt_end)
+ {
+ android_errorWriteLog(0x534e4554, "80261585");
+ L2CAP_TRACE_WARNING ("%s bad packet length", __func__);
+ return;
+ }
+
STREAM_TO_UINT8 (cmd_code, p);
STREAM_TO_UINT8 (id, p);
STREAM_TO_UINT16 (cmd_len, p);
@@ -625,6 +633,12 @@
break;
case L2CAP_CMD_BLE_UPDATE_REQ:
+ if (p + 8 > p_pkt_end)
+ {
+ android_errorWriteLog(0x534e4554, "80261585");
+ L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);
+ return;
+ }
STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */
STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */
STREAM_TO_UINT16 (latency, p); /* 0x0000 - 0x03E8 */
