Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7e96f4b5 authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Check the HCI length before extracting the L2CAP length and CID 

Bug: 34946955
Test: A2DP streaming to a headset
Change-Id: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit ecc0835114cbae3033d8b0e25bd8b443880d5077)
(cherry picked from commit 33c68c82c1a9c2436d203250ab82f5361ff905b7)
(cherry picked from commit f5413af9)
parent d4c6afca

system/stack/l2cap/l2c_main.cc

+11 −10
Original line number Diff line number Diff line
@@ -28,6 +28,8 @@ 
#include <stdlib.h>

#include <string.h>



#include <log/log.h>



#include "bt_common.h"

#include "bt_target.h"

#include "btm_int.h"
@@ -130,6 +132,13 @@ void l2c_rcv_acl_data(BT_HDR* p_msg) { 
  STREAM_TO_UINT16(hci_len, p);

  p_msg->offset += 4;



  if (hci_len < L2CAP_PKT_OVERHEAD) {

    /* Must receive at least the L2CAP length and CID */

    L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");

    osi_free(p_msg);

    return;

  }



  /* Extract the length and CID */

  STREAM_TO_UINT16(l2cap_len, p);

  STREAM_TO_UINT16(rcv_cid, p);
@@ -152,16 +161,8 @@ void l2c_rcv_acl_data(BT_HDR* p_msg) { 
    }

  }



  if (hci_len >=

      L2CAP_PKT_OVERHEAD) /* Must receive at least the L2CAP length and CID.*/

  {

  p_msg->len = hci_len - L2CAP_PKT_OVERHEAD;

  p_msg->offset += L2CAP_PKT_OVERHEAD;

  } else {

    L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");

    osi_free(p_msg);

    return;

  }



  if (l2cap_len != p_msg->len) {

    L2CAP_TRACE_WARNING("L2CAP - bad length in pkt. Exp: %d  Act: %d",