Snap for 5217200 from 4a0e17fd7ed8c0a7f774324cbb56d6bb9ae2d576 to pi-b4s4-release
Change-Id: I94755c0216b887869c73ed4e5c5a6b2bd2891a2d
diff --git a/stack/l2cap/l2c_fcr.cc b/stack/l2cap/l2c_fcr.cc
index 8326e4d..88503fb 100644
--- a/stack/l2cap/l2c_fcr.cc
+++ b/stack/l2cap/l2c_fcr.cc
@@ -833,7 +833,16 @@
}
if (p_ccb->is_first_seg) {
+ if (p_buf->len < sizeof(sdu_length)) {
+ L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",
+ __func__, p_buf->len);
+ android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);
+ /* Discard the buffer */
+ osi_free(p_buf);
+ return;
+ }
STREAM_TO_UINT16(sdu_length, p);
+
/* Check the SDU Length with local MTU size */
if (sdu_length > p_ccb->local_conn_cfg.mtu) {
/* Discard the buffer */
@@ -841,6 +850,9 @@
return;
}
+ p_buf->len -= sizeof(sdu_length);
+ p_buf->offset += sizeof(sdu_length);
+
if (sdu_length < p_buf->len) {
L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);
android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -859,8 +871,6 @@
p_data->len = 0;
p_ccb->ble_sdu_length = sdu_length;
L2CAP_TRACE_DEBUG("%s SDU Length = %d", __func__, sdu_length);
- p_buf->len -= sizeof(sdu_length);
- p_buf->offset += sizeof(sdu_length);
p_data->offset = 0;
} else {