HCI: Check length of connection complete event

Fixes: 141619686
Test: Pair and connect
Change-Id: Ib15d6a8cbb8c6a7404bf1afa023277429029867d
(cherry picked from commit 7ee6458cf4939ad78dbebd70c2520ad56c31f4a9)
diff --git a/stack/btu/btu_hcif.cc b/stack/btu/btu_hcif.cc
index c70448e..fd52da0 100644
--- a/stack/btu/btu_hcif.cc
+++ b/stack/btu/btu_hcif.cc
@@ -68,7 +68,7 @@
 static void btu_hcif_inquiry_rssi_result_evt(uint8_t* p);
 static void btu_hcif_extended_inquiry_result_evt(uint8_t* p);
 
-static void btu_hcif_connection_comp_evt(uint8_t* p);
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len);
 static void btu_hcif_connection_request_evt(uint8_t* p);
 static void btu_hcif_disconnection_comp_evt(uint8_t* p);
 static void btu_hcif_authentication_comp_evt(uint8_t* p);
@@ -272,7 +272,7 @@
       btu_hcif_extended_inquiry_result_evt(p);
       break;
     case HCI_CONNECTION_COMP_EVT:
-      btu_hcif_connection_comp_evt(p);
+      btu_hcif_connection_comp_evt(p, hci_evt_len);
       break;
     case HCI_CONNECTION_REQUEST_EVT:
       btu_hcif_connection_request_evt(p);
@@ -990,7 +990,7 @@
  * Returns          void
  *
  ******************************************************************************/
-static void btu_hcif_connection_comp_evt(uint8_t* p) {
+static void btu_hcif_connection_comp_evt(uint8_t* p, uint8_t evt_len) {
   uint8_t status;
   uint16_t handle;
   RawAddress bda;
@@ -998,6 +998,12 @@
   uint8_t enc_mode;
   tBTM_ESCO_DATA esco_data;
 
+  if (evt_len < 11) {
+    android_errorWriteLog(0x534e4554, "141619686");
+    HCI_TRACE_WARNING("%s: malformed event of size %hhd", __func__, evt_len);
+    return;
+  }
+
   STREAM_TO_UINT8(status, p);
   STREAM_TO_UINT16(handle, p);
   STREAM_TO_BDADDR(bda, p);