Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 16918ee1 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Add checks whether the AVDTP element data length is valid 

Bug: 78288378
Test: Manual: Python script and extra logging
Change-Id: I576d798d8b566946a3f2d973cb9d4e8dbd22d09e
Merged-In: I715b5977c833d33ff798f008fbf244effa13ea1f
parent d2e34404

system/stack/avdt/avdt_msg.c

+11 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ 
 *

 ******************************************************************************/



#include <log/log.h>

#include <string.h>

#include "bt_types.h"

#include "bt_target.h"
@@ -671,6 +672,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e 


            case AVDT_CAT_PROTECT:

                p_cfg->psc_mask &= ~AVDT_PSC_PROTECT;

                if (p + elem_len > p_end) {

                    err = AVDT_ERR_LENGTH;

                    android_errorWriteLog(0x534e4554, "78288378");

                    break;

                }

                if ((elem_len + protect_offset) < AVDT_PROTECT_SIZE)

                {

                    p_cfg->num_protect++;
@@ -745,6 +751,11 @@ static UINT8 avdt_msg_prs_cfg(tAVDT_CFG *p_cfg, UINT8 *p, UINT16 len, UINT8* p_e 
                {

                    tmp = AVDT_CODEC_SIZE - 1;

                }

                if (p + tmp > p_end) {

                    err = AVDT_ERR_LENGTH;

                    android_errorWriteLog(0x534e4554, "78288378");

                    break;

                }

                p_cfg->num_codec++;

                p_cfg->codec_info[0] = elem_len;

                memcpy(&p_cfg->codec_info[1], p, tmp);