Prevent Out of bounds read in llcp_dlc Test: Nfc Enable/Disable; Android Beam; Tag reading Bug: 116722267 Merged-In: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6 Change-Id: I9b5d1ad46ed18862dbb23b2ab2393edc3d0995e6 (cherry picked from commit e9a57b8c410469de05c14e0ebc53fa021a84a06e) (cherry picked from commit 97aad7e2c2e7c4168d0ad141b00150cafd2ced48)

commit: 9af82ae4e3ea9c6f71fd01f249343956ce1c24b7 [log] [tgz]
author: George Chang <georgekgchang@google.com> Tue Oct 16 17:10:42 2018 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> Mon Nov 26 17:20:01 2018 +0000
tree: c25675c2b546e3123cd4f1b8e6839c94576b1ba8
parent: a729d18e7d36d1bfece18f526116e169e06ab408 [diff]
diff --git a/src/nfc/llcp/llcp_dlc.c b/src/nfc/llcp/llcp_dlc.c
index 0465a95..288f988 100644
--- a/src/nfc/llcp/llcp_dlc.c
+++ b/src/nfc/llcp/llcp_dlc.c

@@ -22,6 +22,7 @@
  *
  ******************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
 #include "bt_types.h"
 #include "gki.h"
@@ -882,6 +883,15 @@
       p_i_pdu = (uint8_t*)(p_msg + 1) + p_msg->offset;
     }
 
+    if (i_pdu_length < LLCP_PDU_HEADER_SIZE + LLCP_SEQUENCE_SIZE) {
+      android_errorWriteLog(0x534e4554, "116722267");
+      LLCP_TRACE_ERROR1("Insufficient I PDU length %d", i_pdu_length);
+      if (p_msg) {
+        GKI_freebuf(p_msg);
+      }
+      return;
+    }
+
     info_len = i_pdu_length - LLCP_PDU_HEADER_SIZE - LLCP_SEQUENCE_SIZE;
 
     if (info_len > p_dlcb->local_miu) {
commit	9af82ae4e3ea9c6f71fd01f249343956ce1c24b7	[log] [tgz]
author	George Chang <georgekgchang@google.com>	Tue Oct 16 17:10:42 2018 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Mon Nov 26 17:20:01 2018 +0000
tree	c25675c2b546e3123cd4f1b8e6839c94576b1ba8
parent	a729d18e7d36d1bfece18f526116e169e06ab408 [diff]