HID Host: Check L2CAP packet data length
Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
diff --git a/stack/hid/hidh_conn.cc b/stack/hid/hidh_conn.cc
index 76c03a6..6f99c88 100644
--- a/stack/hid/hidh_conn.cc
+++ b/stack/hid/hidh_conn.cc
@@ -42,6 +42,7 @@
#include "hidh_api.h"
#include "hidh_int.h"
+#include "log/log.h"
#include "osi/include/osi.h"
static uint8_t find_conn_by_cid(uint16_t cid);
@@ -799,6 +800,14 @@
return;
}
+ if (p_msg->len < 1) {
+ HIDH_TRACE_WARNING("Rcvd L2CAP data, invalid length %d, should be >= 1",
+ p_msg->len);
+ osi_free(p_msg);
+ android_errorWriteLog(0x534e4554, "80493272");
+ return;
+ }
+
ttype = HID_GET_TRANS_FROM_HDR(*p_data);
param = HID_GET_PARAM_FROM_HDR(*p_data);
rep_type = param & HID_PAR_REP_TYPE_MASK;