Check SDU lower bound before allocate p_data
Bug: 112321180
Test: SL4A BleCocTest:test_coc_insecured_connection_write_ascii
Change-Id: Id0c9aa2097f0b6bdc2bb9fa9086daa9452188e1d
(cherry picked from commit 785e12ed58d020a0df075163c1831021c0cde218)
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index b20b9c1..8326e4d 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -841,6 +841,14 @@
return;
}
+ if (sdu_length < p_buf->len) {
+ L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
+ android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
+ /* Discard the buffer */
+ osi_free(p_buf);
+ return;
+ }
+
p_data = (BT_HDR*)osi_malloc(BT_HDR_SIZE + sdu_length);
if (p_data == NULL) {
osi_free(p_buf);