BNEP: Check received frame type Bug: 68818034 Test: build Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019 (cherry picked from commit b910734a55fd3babf71b049d5638bf86f81d7c1e)

commit: ae12fc48fa6c7a114234afa055ab1cd630d6da8d [log] [tgz]
author: Myles Watson <mylesgw@google.com> Thu Jan 11 14:20:26 2018 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Thu Jan 18 19:08:12 2018 +0000
tree: 45bdce524c12abc57cf8b5d039df4fa31629386c
parent: 08e68337a9eb45818d5a770570c8b1d15a14d904 [diff]
diff --git a/stack/bnep/bnep_main.cc b/stack/bnep/bnep_main.cc
index cf7a911..f621fdb 100644
--- a/stack/bnep/bnep_main.cc
+++ b/stack/bnep/bnep_main.cc

@@ -447,6 +447,12 @@
   type = *p++;
   extension_present = type >> 7;
   type &= 0x7f;
+  if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+    BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+    android_errorWriteLog(0x534e4554, "68818034");
+    osi_free(p_buf);
+    return;
+  }
   if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE)) {
     BNEP_TRACE_EVENT("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len,
                      type);
commit	ae12fc48fa6c7a114234afa055ab1cd630d6da8d	[log] [tgz]
author	Myles Watson <mylesgw@google.com>	Thu Jan 11 14:20:26 2018 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Thu Jan 18 19:08:12 2018 +0000
tree	45bdce524c12abc57cf8b5d039df4fa31629386c
parent	08e68337a9eb45818d5a770570c8b1d15a14d904 [diff]