Add packet length check for received AVCTP packets
Bug: 79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit 2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit d6fb21d8d8ae20addfc51246d840151fc86d8572)
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index bd99562..70d8ce7 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -25,6 +25,7 @@
*
*****************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "avct_api.h"
#include "avct_int.h"
@@ -520,6 +521,14 @@
return;
}
+ if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
+ AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
+ p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
+ osi_free_and_reset((void**)&p_data->p_buf);
+ android_errorWriteLog(0x534e4554, "79944113");
+ return;
+ }
+
p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
/* parse header byte */