Merge "Fix OOB in BNEP_Write" (06a1fbcd) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/bnep/bnep_api.cc

+11 −2

Original line number	Diff line number	Diff line
		@@ -340,10 +340,15 @@ tBNEP_RESULT BNEP_WriteBuf(uint16_t handle, const RawAddress& p_dest_addr,
		p_bcb = &(bnep_cb.bcb[handle - 1]);
		/* Check MTU size */
		if (p_buf->len > BNEP_MTU_SIZE) {
		BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", p_buf->len,
		BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, p_buf->len,
		BNEP_MTU_SIZE);
		osi_free(p_buf);
		return (BNEP_MTU_EXCEDED);
		} else if (p_buf->len < 2) {
		BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
		p_buf->len);
		osi_free(p_buf);
		return BNEP_IGNORE_CMD;
		}

		/* Check if the packet should be filtered out */
		@@ -437,9 +442,13 @@ tBNEP_RESULT BNEP_Write(uint16_t handle, const RawAddress& p_dest_addr,

		/* Check MTU size. Consider the possibility of having extension headers */
		if (len > BNEP_MTU_SIZE) {
		BNEP_TRACE_ERROR("BNEP_Write() length %d exceeded MTU %d", len,
		BNEP_TRACE_ERROR("%s length %d exceeded MTU %d", __func__, len,
		BNEP_MTU_SIZE);
		return (BNEP_MTU_EXCEDED);
		} else if (len < 2) {
		BNEP_TRACE_ERROR("%s length %d too short, must be at least 2", __func__,
		len);
		return BNEP_IGNORE_CMD;
		}

		if ((!handle) \|\| (handle > BNEP_MAX_CONNECTIONS)) return (BNEP_WRONG_HANDLE);