Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45db9edf authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Add a missing check for PAN buffer size before copying data" into mnc-dev

parents dece8b7d 00622371
Loading
Loading
Loading
Loading
+11 −0
Original line number Diff line number Diff line
@@ -26,6 +26,8 @@

#if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)

#include <cutils/log.h>

#include "bta_api.h"
#include "bta_sys.h"
#include "gki.h"
@@ -206,6 +208,15 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,

    if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset )
    {
        if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
            GKI_get_pool_bufsize(PAN_POOL_ID)) {
            android_errorWriteLog(0x534e4554, "63146237");
            APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
                             p_buf->len);
            GKI_freebuf(p_buf);
            return;
        }

        /* offset smaller than data structure in front of actual data */
        p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID );
        if(!p_new_buf)