Add packet length checks in mca_ccb_hdl_req Bug: 110791536 Test: manual Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a

commit: 4de7ccdd914b7a178df9180d15f675b257ea6e02 [log] [tgz]
author: Cheney Ni <cheneyni@google.com> Tue Aug 07 21:32:07 2018 +0800
committer: Cheney Ni <cheneyni@google.com> Thu Aug 09 13:20:36 2018 +0800
tree: 28560bce313e1e5a968cda2c4a0826765b3a4dce
parent: 0d4898a05dda44555595714a25d4f945e49205bd [diff]
diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc
index c39700f..c293fde 100644
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc

@@ -22,6 +22,7 @@
  *  Functions.
  *
  ******************************************************************************/
+#include <log/log.h>
 #include <string.h>
 #include "bt_common.h"
 #include "bt_target.h"
@@ -253,9 +254,15 @@
   p_rx_msg = (tMCA_CCB_MSG*)p_pkt;
   p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
   evt_data.hdr.op_code = *p++;
-  BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
   reject_opcode = evt_data.hdr.op_code + 1;
 
+  if (p_pkt->len >= 3) {
+    BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
+  } else {
+    android_errorWriteLog(0x534e4554, "110791536");
+    evt_data.hdr.mdl_id = 0;
+  }
+
   MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id);
   if (p_ccb->status == MCA_CCB_STAT_PENDING) {
     MCA_TRACE_DEBUG("received req inpending state");
commit	4de7ccdd914b7a178df9180d15f675b257ea6e02	[log] [tgz]
author	Cheney Ni <cheneyni@google.com>	Tue Aug 07 21:32:07 2018 +0800
committer	Cheney Ni <cheneyni@google.com>	Thu Aug 09 13:20:36 2018 +0800
tree	28560bce313e1e5a968cda2c4a0826765b3a4dce
parent	0d4898a05dda44555595714a25d4f945e49205bd [diff]