HH: Check parameter length in bta_hh_ctrl_dat_act Bug: 116108738 Test: send a malformed GET_IDLE command with no parameters Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c (cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)

commit: e1685cfa533db4155a447c405d7065cc17af2ae9 [log] [tgz]
author: Myles Watson <mylesgw@google.com> Thu Oct 25 14:33:33 2018 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> Thu Nov 15 18:20:17 2018 +0000
tree: 3eef9abee5bee950e0b125164997249c6b94e5db
parent: 8679463ade0ee029ef826ed4fb7a847e2a981375 [diff]
diff --git a/bta/hh/bta_hh_act.cc b/bta/hh/bta_hh_act.cc
index 4d85437..a7bdc9c 100644
--- a/bta/hh/bta_hh_act.cc
+++ b/bta/hh/bta_hh_act.cc

@@ -26,6 +26,7 @@
 
 #if (BTA_HH_INCLUDED == TRUE)
 
+#include <log/log.h>
 #include <string.h>
 
 #include "bta_hh_co.h"
@@ -717,6 +718,12 @@
   APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
                    bta_hh_get_w4_event(p_cb->w4_evt));
 #endif
+  if (pdata->len == 0) {
+    android_errorWriteLog(0x534e4554, "116108738");
+    p_cb->w4_evt = 0;
+    osi_free_and_reset((void**)&pdata);
+    return;
+  }
   hs_data.status = BTA_HH_OK;
   hs_data.handle = p_cb->hid_handle;
commit	e1685cfa533db4155a447c405d7065cc17af2ae9	[log] [tgz]
author	Myles Watson <mylesgw@google.com>	Thu Oct 25 14:33:33 2018 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	Thu Nov 15 18:20:17 2018 +0000
tree	3eef9abee5bee950e0b125164997249c6b94e5db
parent	8679463ade0ee029ef826ed4fb7a847e2a981375 [diff]