Android-x86
Forksystem/bt
| Révision | f1c2c86080bcd7b3142ff821441696fc99c2bc9a (tree) |
|---|---|
| l'heure | 2018-05-26 03:42:06 |
| Auteur | Ajay Panicker <apanicke@goog...> |
| Commiter | android-build-team Robot |
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug: 74121659
Test: Compiles
Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
(cherry picked from commit ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
stack/l2cap/l2c_ble.cc (diff)| @@ -33,6 +33,7 @@ | ||
| 33 | 33 | #include "hcimsgs.h" |
| 34 | 34 | #include "l2c_int.h" |
| 35 | 35 | #include "l2cdefs.h" |
| 36 | +#include "log/log.h" | |
| 36 | 37 | #include "osi/include/osi.h" |
| 37 | 38 | #include "stack_config.h" |
| 38 | 39 |
| @@ -788,6 +789,10 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { | ||
| 788 | 789 | break; |
| 789 | 790 | |
| 790 | 791 | case L2CAP_CMD_DISC_REQ: |
| 792 | + if (p + 4 > p_pkt_end) { | |
| 793 | + android_errorWriteLog(0x534e4554, "74121659"); | |
| 794 | + return; | |
| 795 | + } | |
| 791 | 796 | STREAM_TO_UINT16(lcid, p); |
| 792 | 797 | STREAM_TO_UINT16(rcid, p); |
| 793 | 798 |
