Prevent Out of bounds read in llcp_dlc
Test: Nfc Enable/Disable; Android Beam; Tag reading
Bug: 116722267
Merged-In: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
Change-Id: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6
(cherry picked from commit e9a57b8c410469de05c14e0ebc53fa021a84a06e)
(cherry picked from commit 97aad7e2c2e7c4168d0ad141b00150cafd2ced48)
diff --git a/src/nfc/llcp/llcp_dlc.c b/src/nfc/llcp/llcp_dlc.c
index 0465a95..288f988 100644
--- a/src/nfc/llcp/llcp_dlc.c
+++ b/src/nfc/llcp/llcp_dlc.c
@@ -22,6 +22,7 @@
*
******************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "bt_types.h"
#include "gki.h"
@@ -882,6 +883,15 @@
p_i_pdu = (uint8_t*)(p_msg + 1) + p_msg->offset;
}
+ if (i_pdu_length < LLCP_PDU_HEADER_SIZE + LLCP_SEQUENCE_SIZE) {
+ android_errorWriteLog(0x534e4554, "116722267");
+ LLCP_TRACE_ERROR1("Insufficient I PDU length %d", i_pdu_length);
+ if (p_msg) {
+ GKI_freebuf(p_msg);
+ }
+ return;
+ }
+
info_len = i_pdu_length - LLCP_PDU_HEADER_SIZE - LLCP_SEQUENCE_SIZE;
if (info_len > p_dlcb->local_miu) {