Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5a3bdee7 authored by Myles Watson's avatar Myles Watson
Browse files

avrcp: Ignore AVCT commands that are too long 

Bug: 177611958
Test: compilation
Tag: #security
Change-Id: If914b5928cdf16696eb54bfe91c2869cbbf8e36c
parent fdf4c012

system/stack/avrc/avrc_api.cc

+4 −3
Original line number Diff line number Diff line
@@ -636,9 +636,10 @@ static void avrc_msg_cback(uint8_t handle, uint8_t label, uint8_t cr, 
  tAVRC_MSG_VENDOR* p_msg = &msg.vendor;



  if (cr == AVCT_CMD && (p_pkt->layer_specific & AVCT_DATA_CTRL &&

                         AVRC_PACKET_LEN < sizeof(p_pkt->len))) {

    /* Ignore the invalid AV/C command frame */

    p_drop_msg = "dropped - too long AV/C cmd frame size";

                         p_pkt->len > AVRC_PACKET_LEN)) {

    android_errorWriteLog(0x534e4554, "177611958");

    AVRC_TRACE_WARNING("%s: Command length %d too long: must be at most %d",

                       __func__, p_pkt->len, AVRC_PACKET_LEN);

    osi_free(p_pkt);

    return;

  }