Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7a70ded authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] DO NOT MERGE A security fix to check buffer length in... 

[automerger] DO NOT MERGE A security fix to check buffer length in l2c_lcc_proc_pdu am: d99de9de am: 3dd01445

Change-Id: I40ce009c5868fde902bc29a0af1b62c89f02f158
parents 9c2c4b8d 3dd01445

system/stack/l2cap/l2c_fcr.c

+12 −2
Original line number Diff line number Diff line
@@ -840,7 +840,16 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 


    if (p_ccb->is_first_seg)

    {

        if (p_buf->len < sizeof(sdu_length)) {

          L2CAP_TRACE_ERROR("%s: buffer length=%d too small. Need at least 2.",

                            __func__, p_buf->len);

          android_errorWriteWithInfoLog(0x534e4554, "120665616", -1, NULL, 0);

          /* Discard the buffer */

          osi_free(p_buf);

          return;

        }

        STREAM_TO_UINT16(sdu_length, p);



        /* Check the SDU Length with local MTU size */

        if (sdu_length > p_ccb->local_conn_cfg.mtu)

        {
@@ -849,6 +858,9 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 
            return;

        }



        p_buf->len -= sizeof(sdu_length);

        p_buf->offset += sizeof(sdu_length);



        if (sdu_length < p_buf->len) {

            L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length);

            android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0);
@@ -868,8 +880,6 @@ void l2c_lcc_proc_pdu(tL2C_CCB *p_ccb, BT_HDR *p_buf) 
        p_data->len = 0;

        p_ccb->ble_sdu_length = sdu_length;

        L2CAP_TRACE_DEBUG ("%s SDU Length = %d",__func__,sdu_length);

        p_buf->len -= sizeof(sdu_length);

        p_buf->offset += sizeof(sdu_length);

        p_data->offset = 0;

    } else {

      p_data = p_ccb->ble_sdu;