Check SDU lower bound before allocate p_data Bug: 112321180 Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d (cherry picked from commit 785e12ed58d020a0df075163c1831021c0cde218)

commit: 82ef3ceb978fd5d95a310ff555d42b271dae530a [log] [tgz]
author: Ugo Yu <ugoyu@google.com> Mon Sep 17 15:59:30 2018 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> Sat Oct 20 00:18:10 2018 +0000
tree: 7447eda297beb3fc46f191e4bff113ab0d69a124
parent: a6f9ca4aaeb141dd12011d50b0803e0de9e609a6 [diff]
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index b20b9c1..8326e4d 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc

@@ -841,6 +841,14 @@
       return;
     }
 
+    if (sdu_length < p_buf->len) {
+      L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+      android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+      /* Discard the buffer */
+      osi_free(p_buf);
+      return;
+    }
+
     p_data = (BT_HDR*)osi_malloc(BT_HDR_SIZE + sdu_length);
     if (p_data == NULL) {
       osi_free(p_buf);
commit	82ef3ceb978fd5d95a310ff555d42b271dae530a	[log] [tgz]
author	Ugo Yu <ugoyu@google.com>	Mon Sep 17 15:59:30 2018 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Sat Oct 20 00:18:10 2018 +0000
tree	7447eda297beb3fc46f191e4bff113ab0d69a124
parent	a6f9ca4aaeb141dd12011d50b0803e0de9e609a6 [diff]