Add length check when copy AVDTP packet (7de61cea) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/avdt/avdt_msg.cc

+4 −0

Original line number	Diff line number	Diff line
		@@ -1258,6 +1258,10 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
		return p_ret;
		}
		p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
		if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
		android_errorWriteLog(0x534e4554, "232023771");
		return NULL;
		}
		memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);

		/* Free original buffer */