HH: Check parameter length in bta_hh_ctrl_dat_act
Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)
diff --git a/bta/hh/bta_hh_act.cc b/bta/hh/bta_hh_act.cc
index 4d85437..a7bdc9c 100644
--- a/bta/hh/bta_hh_act.cc
+++ b/bta/hh/bta_hh_act.cc
@@ -26,6 +26,7 @@
#if (BTA_HH_INCLUDED == TRUE)
+#include <log/log.h>
#include <string.h>
#include "bta_hh_co.h"
@@ -717,6 +718,12 @@
APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
bta_hh_get_w4_event(p_cb->w4_evt));
#endif
+ if (pdata->len == 0) {
+ android_errorWriteLog(0x534e4554, "116108738");
+ p_cb->w4_evt = 0;
+ osi_free_and_reset((void**)&pdata);
+ return;
+ }
hs_data.status = BTA_HH_OK;
hs_data.handle = p_cb->hid_handle;