Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1db3077a authored by Brian Delwiche's avatar Brian Delwiche Committed by Automerger Merge Worker
Browse files

Merge "Added max buffer length check" into tm-dev am: 7406459d 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/19747499



Change-Id: Ide3ef0d14c8042802ec29cecb2a59a1c56369cef
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 7e30f36b 7406459d

system/stack/avct/avct_lcb_act.cc

+6 −1
Original line number Diff line number Diff line
@@ -68,7 +68,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { 
  pkt_type = AVCT_PKT_TYPE(p);



  /* quick sanity check on length */

  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {

  if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||

      (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {

    if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >

        BT_DEFAULT_BUFFER_SIZE) {

      android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);

    }

    osi_free(p_buf);

    AVCT_TRACE_WARNING("Bad length during reassembly");

    p_ret = NULL;