Add packet length check in smp_proc_master_id Bug: 111937027 Test: manual Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075

commit: c8294662d07a98e9b8b1cab1ab681ec0805ce4e8 [log] [tgz]
author: Ugo Yu <ugoyu@google.com> Wed Aug 08 16:09:58 2018 +0800
committer: Hansong Zhang <hsz@google.com> Fri Aug 10 12:15:30 2018 -0700
tree: a8679f18aae5ac283fb715eddff65b8e507964a5
parent: 0d4898a05dda44555595714a25d4f945e49205bd [diff]
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 51b8972..dda6897 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc

@@ -919,6 +919,14 @@
   tBTM_LE_PENC_KEYS le_key;
 
   SMP_TRACE_DEBUG("%s", __func__);
+
+  if (p_cb->rcvd_cmd_len < 11) {  // 1(Code) + 2(EDIV) + 8(Rand)
+    android_errorWriteLog(0x534e4554, "111937027");
+    SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11",
+                    __func__, p_cb->rcvd_cmd_len);
+    return;
+  }
+
   smp_update_key_mask(p_cb, SMP_SEC_KEY_TYPE_ENC, true);
 
   STREAM_TO_UINT16(le_key.ediv, p);
commit	c8294662d07a98e9b8b1cab1ab681ec0805ce4e8	[log] [tgz]
author	Ugo Yu <ugoyu@google.com>	Wed Aug 08 16:09:58 2018 +0800
committer	Hansong Zhang <hsz@google.com>	Fri Aug 10 12:15:30 2018 -0700
tree	a8679f18aae5ac283fb715eddff65b8e507964a5
parent	0d4898a05dda44555595714a25d4f945e49205bd [diff]