Loading system/stack/avct/avct_lcb_act.cc +6 −1 Original line number Original line Diff line number Diff line Loading @@ -68,7 +68,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { pkt_type = AVCT_PKT_TYPE(p); pkt_type = AVCT_PKT_TYPE(p); /* quick sanity check on length */ /* quick sanity check on length */ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) { if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); } osi_free(p_buf); osi_free(p_buf); AVCT_TRACE_WARNING("Bad length during reassembly"); AVCT_TRACE_WARNING("Bad length during reassembly"); p_ret = NULL; p_ret = NULL; Loading Loading
system/stack/avct/avct_lcb_act.cc +6 −1 Original line number Original line Diff line number Diff line Loading @@ -68,7 +68,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { pkt_type = AVCT_PKT_TYPE(p); pkt_type = AVCT_PKT_TYPE(p); /* quick sanity check on length */ /* quick sanity check on length */ if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) { if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] || (sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0); } osi_free(p_buf); osi_free(p_buf); AVCT_TRACE_WARNING("Bad length during reassembly"); AVCT_TRACE_WARNING("Bad length during reassembly"); p_ret = NULL; p_ret = NULL; Loading
