Add length check when copy AVDT and AVCT packet (493fcadb) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avct/avct_lcb_act.cc

+7 −1

Original line number	Diff line number	Diff line
		@@ -89,13 +89,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
		if (p_lcb->p_rx_msg != NULL)
		AVCT_TRACE_WARNING("Got start during reassembly");

		osi_free(p_lcb->p_rx_msg);
		osi_free_and_reset((void**)&p_lcb->p_rx_msg);

		/*
		* Allocate bigger buffer for reassembly. As lower layers are
		* not aware of possible packet size after reassembly, they
		* would have allocated smaller buffer.
		*/
		if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
		android_errorWriteLog(0x534e4554, "232023771");
		osi_free(p_buf);
		p_ret = NULL;
		return p_ret;
		}
		p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
		memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

+4 −2

Original line number	Diff line number	Diff line
		@@ -1251,11 +1251,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
		* not aware of possible packet size after reassembly, they
		* would have allocated smaller buffer.
		*/
		p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
		if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
		android_errorWriteLog(0x534e4554, "232023771");
		return NULL;
		osi_free(p_buf);
		p_ret = NULL;
		return p_ret;
		}
		p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
		memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

		/* Free original buffer */