Add packet length check in smp_proc_master_id
Bug: 111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 51b8972..dda6897 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc
@@ -919,6 +919,14 @@
tBTM_LE_PENC_KEYS le_key;
SMP_TRACE_DEBUG("%s", __func__);
+
+ if (p_cb->rcvd_cmd_len < 11) { // 1(Code) + 2(EDIV) + 8(Rand)
+ android_errorWriteLog(0x534e4554, "111937027");
+ SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
+ __func__, p_cb->rcvd_cmd_len);
+ return;
+ }
+
smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
STREAM_TO_UINT16(le_key.ediv, p);