Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7018225d authored by Hansong Zhang's avatar Hansong Zhang Committed by android-build-merger
Browse files

Merge "DO NOT MERGE Fix OOB read in process_l2cap_cmd" into oc-dev 

am: d50fb96d

Change-Id: I79868f8b17f4fed7294bc6064f082f8f93b2d272
parents 9f4a6f02 d50fb96d

system/stack/l2cap/l2c_main.cc

+4 −0
Original line number Diff line number Diff line
@@ -545,6 +545,10 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
            default:

              /* sanity check option length */

              if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {

                if (p + cfg_len > p_next_cmd) {

                  android_errorWriteLog(0x534e4554, "79488381");

                  return;

                }

                p += cfg_len;

                if ((cfg_code & 0x80) == 0) {

                  cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;