Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8938c2f7 authored by Myles Watson's avatar Myles Watson
Browse files

RFCOMM: Check flow control length 

Change-Id: Iee6392d1d93dc57e28c54fffff80e9f38286d863
Fixes: 120276962
Test: Send a flow control packet with length 3
parent 7512ecd1

system/stack/rfcomm/rfc_ts_frames.cc

+4 −0
Original line number Diff line number Diff line
@@ -539,6 +539,10 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) { 
  /* handle credit if credit based flow control */

  if ((p_mcb->flow == PORT_FC_CREDIT) && (p_frame->type == RFCOMM_UIH) &&

      (p_frame->dlci != RFCOMM_MX_DLCI) && (p_frame->pf == 1)) {

    if (p_buf->len < sizeof(uint8_t)) {

      RFCOMM_TRACE_ERROR("Bad Length in flow control: %d", p_buf->len);

      return RFC_EVENT_BAD_FRAME;

    }

    p_frame->credit = *p_data++;

    p_buf->len--;

    p_buf->offset++;