Prevent OOBR in nfa_hci_conn_cback
Bug: 139740814
Test: build pass
Change-Id: I3b9d2741afcfe04caa47d17361ce0601b705df56
(cherry picked from commit 6ff4c0c1f81c46e49b7d46f062ef9722305975de)
diff --git a/src/nfa/hci/nfa_hci_main.cc b/src/nfa/hci/nfa_hci_main.cc
index d6667e1..b4c43be 100644
--- a/src/nfa/hci/nfa_hci_main.cc
+++ b/src/nfa/hci/nfa_hci_main.cc
@@ -741,11 +741,26 @@
p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
pkt_len = p_pkt->len;
+ if (pkt_len < 1) {
+ LOG(ERROR) << StringPrintf("Insufficient packet length! Dropping :%u bytes",
+ pkt_len);
+ /* release GKI buffer */
+ GKI_freebuf(p_pkt);
+ return;
+ }
+
chaining_bit = ((*p) >> 0x07) & 0x01;
pipe = (*p++) & 0x7F;
if (pkt_len != 0) pkt_len--;
if (nfa_hci_cb.assembling == false) {
+ if (pkt_len < 1) {
+ LOG(ERROR) << StringPrintf(
+ "Insufficient packet length! Dropping :%u bytes", pkt_len);
+ /* release GKI buffer */
+ GKI_freebuf(p_pkt);
+ return;
+ }
/* First Segment of a packet */
nfa_hci_cb.type = ((*p) >> 0x06) & 0x03;
nfa_hci_cb.inst = (*p++ & 0x3F);