Add packet length check for received AVCTP packets Bug: 79944113 Test: Manual: Custom test program and extra logging Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81 Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81 (cherry picked from commit 2a934acf498a6b715cc7c634123aa403a70fe9e6) (cherry picked from commit d6fb21d8d8ae20addfc51246d840151fc86d8572)

commit: 5c1fc8184845745685848ae834ff4f8a9a9fc92d [log] [tgz]
author: Pavlin Radoslavov <pavlin@google.com> Wed May 30 19:26:16 2018 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> Fri Aug 10 20:30:57 2018 +0000
tree: 29753e654964d5264334779a88281d090210879f
parent: 57ebe9f70bb3b2c1c0e52a47e9c89f7d3ca290ab [diff]
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index bd99562..70d8ce7 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc

@@ -25,6 +25,7 @@
 *
  *****************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
 #include "avct_api.h"
 #include "avct_int.h"
@@ -520,6 +521,14 @@
     return;
   }
 
+  if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
+    AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
+                       p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
+    osi_free_and_reset((void**)&p_data->p_buf);
+    android_errorWriteLog(0x534e4554, "79944113");
+    return;
+  }
+
   p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
 
   /* parse header byte */
commit	5c1fc8184845745685848ae834ff4f8a9a9fc92d	[log] [tgz]
author	Pavlin Radoslavov <pavlin@google.com>	Wed May 30 19:26:16 2018 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	Fri Aug 10 20:30:57 2018 +0000
tree	29753e654964d5264334779a88281d090210879f
parent	57ebe9f70bb3b2c1c0e52a47e9c89f7d3ca290ab [diff]