Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 73ed6c7b authored by Hansong Zhang's avatar Hansong Zhang
Browse files

Fix OOB read in process_l2cap_cmd 

Test: manual
Bug: 79488381
Change-Id: I723866ed40d3647fed99875f659bb95df96a6969
parent 9bd9fd75

system/stack/l2cap/l2c_main.cc

+1 −0
Original line number Diff line number Diff line
@@ -511,6 +511,7 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { 
            default:

              /* sanity check option length */

              if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {

                if (p + cfg_len > p_next_cmd) return;

                p += cfg_len;

                if ((cfg_code & 0x80) == 0) {

                  cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;