Check packet length in bta_av_proc_meta_cmd
Bug: 111893951
Test: manual - connect A2DP
Change-Id: Ibbf347863dfd29ea3385312e9dde1082bc90d2f3
(cherry picked from commit ed51887f921263219bcd2fbf6650ead5ec8d334e)
diff --git a/bta/av/bta_av_act.cc b/bta/av/bta_av_act.cc
index ad3bf3d..5625f90 100644
--- a/bta/av/bta_av_act.cc
+++ b/bta/av/bta_av_act.cc
@@ -35,6 +35,7 @@
#include "bta_av_api.h"
#include "bta_av_int.h"
#include "l2c_api.h"
+#include "log/log.h"
#include "osi/include/list.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
@@ -784,11 +785,16 @@
case AVRC_PDU_GET_CAPABILITIES:
/* process GetCapabilities command without reporting the event to app */
evt = 0;
+ if (p_vendor->vendor_len != 5) {
+ android_errorWriteLog(0x534e4554, "111893951");
+ p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
+ break;
+ }
u8 = *(p_vendor->p_vendor_data + 4);
p = p_vendor->p_vendor_data + 2;
p_rc_rsp->get_caps.capability_id = u8;
BE_STREAM_TO_UINT16(u16, p);
- if ((u16 != 1) || (p_vendor->vendor_len != 5)) {
+ if (u16 != 1) {
p_rc_rsp->get_caps.status = AVRC_STS_INTERNAL_ERR;
} else {
p_rc_rsp->get_caps.status = AVRC_STS_NO_ERROR;