Add packet length checks in mca_ccb_hdl_req
Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc
index c39700f..c293fde 100644
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -22,6 +22,7 @@
* Functions.
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "bt_common.h"
#include "bt_target.h"
@@ -253,9 +254,15 @@
p_rx_msg = (tMCA_CCB_MSG*)p_pkt;
p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
evt_data.hdr.op_code = *p++;
- BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
reject_opcode = evt_data.hdr.op_code + 1;
+ if (p_pkt->len >= 3) {
+ BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
+ } else {
+ android_errorWriteLog(0x534e4554, "110791536");
+ evt_data.hdr.mdl_id = 0;
+ }
+
MCA_TRACE_DEBUG("received mdl id: %d ", evt_data.hdr.mdl_id);
if (p_ccb->status == MCA_CCB_STAT_PENDING) {
MCA_TRACE_DEBUG("received req inpending state");