HCI: Check length of connection complete event
Fixes: 141619686
Test: Pair and connect
Change-Id: Ib15d6a8cbb8c6a7404bf1afa023277429029867d
(cherry picked from commit 7ee6458cf4939ad78dbebd70c2520ad56c31f4a9)
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index c70448e..fd52da0 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -68,7 +68,7 @@
static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
static void btu_hcif_connection_request_evt(uint8_t* p);
static void btu_hcif_disconnection_comp_evt(uint8_t* p);
static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -272,7 +272,7 @@
btu_hcif_extended_inquiry_result_evt(p);
break;
case HCI_CONNECTION_COMP_EVT:
- btu_hcif_connection_comp_evt(p);
+ btu_hcif_connection_comp_evt(p, hci_evt_len);
break;
case HCI_CONNECTION_REQUEST_EVT:
btu_hcif_connection_request_evt(p);
@@ -990,7 +990,7 @@
* Returns void
*
******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
uint8_t status;
uint16_t handle;
RawAddress bda;
@@ -998,6 +998,12 @@
uint8_t enc_mode;
tBTM_ESCO_DATA esco_data;
+ if (evt_len < 11) {
+ android_errorWriteLog(0x534e4554, "141619686");
+ HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+ return;
+ }
+
STREAM_TO_UINT8(status, p);
STREAM_TO_UINT16(handle, p);
STREAM_TO_BDADDR(bda, p);