[automerger] Add packet length checks in l2cble_process_sig_cmd am: d89048b8...

    UINT16          credit;

    UINT16          credit;

    p_pkt_end = p + pkt_len;

    p_pkt_end = p + pkt_len;

    if (p + 4 > p_pkt_end)

    {

        android_errorWriteLog(0x534e4554, "80261585");

        L2CAP_TRACE_WARNING ("%s bad packet length", __func__);

        return;

    }

    STREAM_TO_UINT8  (cmd_code, p);

    STREAM_TO_UINT8  (cmd_code, p);

    STREAM_TO_UINT8  (id, p);

    STREAM_TO_UINT8  (id, p);

    STREAM_TO_UINT16 (cmd_len, p);

    STREAM_TO_UINT16 (cmd_len, p);

            break;

            break;

        case L2CAP_CMD_BLE_UPDATE_REQ:

        case L2CAP_CMD_BLE_UPDATE_REQ:

            if (p + 8 > p_pkt_end)

            {

                android_errorWriteLog(0x534e4554, "80261585");

                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                return;

            }

            STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (latency, p);  /* 0x0000 - 0x03E8 */

            STREAM_TO_UINT16 (latency, p);  /* 0x0000 - 0x03E8 */

            break;

            break;

        case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

        case L2CAP_CMD_BLE_CREDIT_BASED_CONN_REQ:

            if (p + 10 > p_pkt_end)

            {

                android_errorWriteLog(0x534e4554, "80261585");

                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                return;

            }

            STREAM_TO_UINT16 (con_info.psm, p);

            STREAM_TO_UINT16 (con_info.psm, p);

            STREAM_TO_UINT16 (rcid, p);

            STREAM_TO_UINT16 (rcid, p);

            STREAM_TO_UINT16 (mtu, p);

            STREAM_TO_UINT16 (mtu, p);

            if (p_ccb)

            if (p_ccb)

            {

            {

                L2CAP_TRACE_DEBUG ("I remember the connection req");

                L2CAP_TRACE_DEBUG ("I remember the connection req");

                if (p + 10 > p_pkt_end)

                {

                    android_errorWriteLog(0x534e4554, "80261585");

                    L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                    return;

                }

                STREAM_TO_UINT16 (p_ccb->remote_cid, p);

                STREAM_TO_UINT16 (p_ccb->remote_cid, p);

                STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mtu, p);

                STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mtu, p);

                STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mps, p);

                STREAM_TO_UINT16 (p_ccb->peer_conn_cfg.mps, p);

            break;

            break;

        case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

        case L2CAP_CMD_BLE_FLOW_CTRL_CREDIT:

            if (p + 4 > p_pkt_end)

            {

                android_errorWriteLog(0x534e4554, "80261585");

                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                return;

            }

            STREAM_TO_UINT16(lcid, p);

            STREAM_TO_UINT16(lcid, p);

            if((p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid)) == NULL)

            if((p_ccb = l2cu_find_ccb_by_remote_cid(p_lcb, lcid)) == NULL)

            {

            {

            break;

            break;

         case L2CAP_CMD_DISC_RSP:

         case L2CAP_CMD_DISC_RSP:

            if (p + 4 > p_pkt_end)

            {

                android_errorWriteLog(0x534e4554, "80261585");

                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                return;

            }

            STREAM_TO_UINT16 (rcid, p);

            STREAM_TO_UINT16 (rcid, p);

            STREAM_TO_UINT16 (lcid, p);

            STREAM_TO_UINT16 (lcid, p);