Prevent OOBR in nfa_hci_conn_cback Bug: 139740814 Test: build pass Change-Id: I3b9d2741afcfe04caa47d17361ce0601b705df56 (cherry picked from commit 6ff4c0c1f81c46e49b7d46f062ef9722305975de)

commit: c3a2dab1a0153de251fb7142dda227dab01ab12b [log] [tgz]
author: Jack Yu <jackcwyu@google.com> Thu Mar 19 20:23:04 2020 +0800
committer: Jack Yu <jackcwyu@google.com> Fri Mar 20 10:40:50 2020 +0000
tree: bc2f39f3a9916c95cebba466fd7c303dd8ab9140
parent: a705221ae525ec5d1935659db2daf4ff886fb818 [diff]
diff --git a/src/nfa/hci/nfa_hci_main.cc b/src/nfa/hci/nfa_hci_main.cc
index d6667e1..b4c43be 100644
--- a/src/nfa/hci/nfa_hci_main.cc
+++ b/src/nfa/hci/nfa_hci_main.cc

@@ -741,11 +741,26 @@
   p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
   pkt_len = p_pkt->len;
 
+  if (pkt_len < 1) {
+    LOG(ERROR) << StringPrintf("Insufficient packet length! Dropping :%u bytes",
+                               pkt_len);
+    /* release GKI buffer */
+    GKI_freebuf(p_pkt);
+    return;
+  }
+
   chaining_bit = ((*p) >> 0x07) & 0x01;
   pipe = (*p++) & 0x7F;
   if (pkt_len != 0) pkt_len--;
 
   if (nfa_hci_cb.assembling == false) {
+    if (pkt_len < 1) {
+      LOG(ERROR) << StringPrintf(
+          "Insufficient packet length! Dropping :%u bytes", pkt_len);
+      /* release GKI buffer */
+      GKI_freebuf(p_pkt);
+      return;
+    }
     /* First Segment of a packet */
     nfa_hci_cb.type = ((*p) >> 0x06) & 0x03;
     nfa_hci_cb.inst = (*p++ & 0x3F);
commit	c3a2dab1a0153de251fb7142dda227dab01ab12b	[log] [tgz]
author	Jack Yu <jackcwyu@google.com>	Thu Mar 19 20:23:04 2020 +0800
committer	Jack Yu <jackcwyu@google.com>	Fri Mar 20 10:40:50 2020 +0000
tree	bc2f39f3a9916c95cebba466fd7c303dd8ab9140
parent	a705221ae525ec5d1935659db2daf4ff886fb818 [diff]