Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 071f8eee authored by Hansong Zhang's avatar Hansong Zhang
Browse files

Check L2CAP size only for start packet 

Bug: 124071248
Test: manual
Change-Id: I1d79ee77b344dd3d17d3705e6eef0a72e13f35f1
parent 3ba7d9ba

system/hci/src/packet_fragmenter.cc

+7 −7
Original line number Diff line number Diff line
@@ -123,17 +123,10 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { 
  if ((packet->event & MSG_EVT_MASK) == MSG_HC_TO_STACK_HCI_ACL) {

    uint8_t* stream = packet->data;

    uint16_t handle;

    uint16_t l2cap_length;

    uint16_t acl_length;



    if (packet->len < 6) {

      LOG_WARN(LOG_TAG, "%s invalid packet length %d", __func__, packet->len);

      return;

    }



    STREAM_TO_UINT16(handle, stream);

    STREAM_TO_UINT16(acl_length, stream);

    STREAM_TO_UINT16(l2cap_length, stream);



    CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
@@ -141,6 +134,13 @@ static void reassemble_and_dispatch(UNUSED_ATTR BT_HDR* packet) { 
    handle = handle & HANDLE_MASK;



    if (boundary_flag == START_PACKET_BOUNDARY) {

      if (acl_length < 2) {

        LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);

        buffer_allocator->free(packet);

        return;

      }

      uint16_t l2cap_length;

      STREAM_TO_UINT16(l2cap_length, stream);

      auto map_iter = partial_packets.find(handle);

      if (map_iter != partial_packets.end()) {

        LOG_WARN(LOG_TAG,