Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit afa95bbe authored by Pavlin Radoslavov's avatar Pavlin Radoslavov
Browse files

Check the HCI length before extracting the L2CAP length and CID 

Bug: 34946955
Test: A2DP streaming to a headset
Change-Id: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9
(cherry picked from commit ecc0835114cbae3033d8b0e25bd8b443880d5077)
parent dcde22ea

system/stack/l2cap/l2c_main.c

+12 −11
Original line number Diff line number Diff line
@@ -26,6 +26,8 @@ 
#include <string.h>

#include <stdio.h>



#include <log/log.h>



#include "device/include/controller.h"

#include "btcore/include/counter.h"

#include "bt_target.h"
@@ -182,6 +184,14 @@ void l2c_rcv_acl_data (BT_HDR *p_msg) 
    STREAM_TO_UINT16 (hci_len, p);

    p_msg->offset += 4;



    if (hci_len < L2CAP_PKT_OVERHEAD) {

        /* Must receive at least the L2CAP length and CID */

        L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header");

        android_errorWriteLog(0x534e4554, "34946955");

        GKI_freebuf (p_msg);

        return;

    }



    /* Extract the length and CID */

    STREAM_TO_UINT16 (l2cap_len, p);

    STREAM_TO_UINT16 (rcv_cid, p);
@@ -204,17 +214,8 @@ void l2c_rcv_acl_data (BT_HDR *p_msg) 
        }

    }



    if (hci_len >= L2CAP_PKT_OVERHEAD)  /* Must receive at least the L2CAP length and CID.*/

    {

    p_msg->len    = hci_len - L2CAP_PKT_OVERHEAD;

    p_msg->offset += L2CAP_PKT_OVERHEAD;

    }

    else

    {

        L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header" );

        GKI_freebuf (p_msg);

        return;

    }



    if (l2cap_len != p_msg->len)

    {