Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af3fbe05 authored by Hansong Zhang's avatar Hansong Zhang Committed by Chris Manton
Browse files

Check HCI_ACL header length 

For ACL packet before connection is established, the check for HCI_ACL
length is missing

Bug: 123024201
Test: POC with ASAN
Change-Id: Id9bae36240c80ae2c8c163f46db404e32e6e9b9e
parent f7785480

system/stack/l2cap/l2c_main.cc

+2 −2
Original line number Diff line number Diff line
@@ -80,8 +80,8 @@ void l2c_rcv_acl_data(BT_HDR* p_msg) { 


  uint16_t hci_len;

  STREAM_TO_UINT16(hci_len, p);

  if (hci_len < L2CAP_PKT_OVERHEAD) {

    /* Must receive at least the L2CAP length and CID */

  if (hci_len < L2CAP_PKT_OVERHEAD || hci_len != p_msg->len - 4) {

    /* Remote-declared packet size must match HCI_ACL size - ACL header (4) */

    L2CAP_TRACE_WARNING("L2CAP - got incorrect hci header");

    osi_free(p_msg);

    return;