Prevent Out of bounds read in llcp_dlc
Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 116722267
Merged-In: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
Change-Id: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
(cherry picked from commit e9a57b8c410469de05c14e0ebc53fa021a84a06e)
(cherry picked from commit b0cd165a602d71ae8748021cd5ee0ef9ebc1ed5b)
diff --git a/src/nfc/llcp/llcp_dlc.cc b/src/nfc/llcp/llcp_dlc.cc
index 7f0ae4f..7f06e36 100644
--- a/src/nfc/llcp/llcp_dlc.cc
+++ b/src/nfc/llcp/llcp_dlc.cc
@@ -26,7 +26,7 @@
#include <android-base/stringprintf.h>
#include <base/logging.h>
-
+#include <log/log.h>
#include "bt_types.h"
#include "gki.h"
#include "llcp_defs.h"
@@ -871,6 +871,15 @@
p_i_pdu = (uint8_t*)(p_msg + 1) + p_msg->offset;
}
+ if (i_pdu_length < LLCP_PDU_HEADER_SIZE + LLCP_SEQUENCE_SIZE) {
+ android_errorWriteLog(0x534e4554, "116722267");
+ LOG(ERROR) << StringPrintf("Insufficient I PDU length %d", i_pdu_length);
+ if (p_msg) {
+ GKI_freebuf(p_msg);
+ }
+ return;
+ }
+
info_len = i_pdu_length - LLCP_PDU_HEADER_SIZE - LLCP_SEQUENCE_SIZE;
if (info_len > p_dlcb->local_miu) {