Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 00622371 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Add a missing check for PAN buffer size before copying data 

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit f253a59e)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
parent c4d32624

system/bta/pan/bta_pan_act.c

+11 −0
Original line number Diff line number Diff line
@@ -26,6 +26,8 @@ 


#if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)



#include <cutils/log.h>



#include "bta_api.h"

#include "bta_sys.h"

#include "gki.h"
@@ -206,6 +208,15 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, 


    if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset )

    {

        if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >

            GKI_get_pool_bufsize(PAN_POOL_ID)) {

            android_errorWriteLog(0x534e4554, "63146237");

            APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,

                             p_buf->len);

            GKI_freebuf(p_buf);

            return;

        }



        /* offset smaller than data structure in front of actual data */

        p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID );

        if(!p_new_buf)