DO NOT MERGE Fix OOB read before buffer length check Bug: 111936834 Test: manual Change-Id: Ib98528fb62db0d724ebd9112d071e367f78e369d (cherry picked from commit 4548f34c90803c6544f6bed03399f2eabeab2a8e)

commit: e6fa120750438de815e9db403b68a2643fc03762 [log] [tgz]
author: Ugo Yu <ugoyu@google.com> Wed Aug 08 14:46:42 2018 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> Thu Aug 16 01:24:19 2018 +0000
tree: 6b3aead4a5f6d6d216113e1328f63a2fe4540c49
parent: 6090e5b5ffca63a8ba4abaaf1acce668e83438d3 [diff]
diff --git a/stack/smp/smp_act.cc b/stack/smp/smp_act.cc
index 2103776..59045be 100644
--- a/stack/smp/smp_act.cc
+++ b/stack/smp/smp_act.cc

@@ -725,13 +725,17 @@
   uint8_t reason = SMP_INVALID_PARAMETERS;
 
   SMP_TRACE_DEBUG("%s", __func__);
-  p_cb->status = *(uint8_t*)p_data;
 
   if (smp_command_has_invalid_parameters(p_cb)) {
+    if (p_cb->rcvd_cmd_len < 2) {  // 1 (opcode) + 1 (Notif Type) bytes
+      android_errorWriteLog(0x534e4554, "111936834");
+    }
     smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
     return;
   }
 
+  p_cb->status = *(uint8_t*)p_data;
+
   if (p != NULL) {
     STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
   } else {
commit	e6fa120750438de815e9db403b68a2643fc03762	[log] [tgz]
author	Ugo Yu <ugoyu@google.com>	Wed Aug 08 14:46:42 2018 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Thu Aug 16 01:24:19 2018 +0000
tree	6b3aead4a5f6d6d216113e1328f63a2fe4540c49
parent	6090e5b5ffca63a8ba4abaaf1acce668e83438d3 [diff]