Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d202dada authored by weichinweng's avatar weichinweng
Browse files

Fix possible OOB when receive SMP data 

Bug: 111215315
Test: manual

Change-Id: I79886048f4ad24dbdbb86b039709301b77da7f2d
parent c71b4b19

system/stack/smp/smp_l2c.cc

+17 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ 
 *

 ******************************************************************************/



#include <cutils/log.h>

#include "bt_target.h"



#include <string.h>
@@ -141,6 +142,14 @@ static void smp_data_received(uint16_t channel, const RawAddress& bd_addr, 
  uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  uint8_t cmd;



  if (p_buf->len < 1) {

    android_errorWriteLog(0x534e4554, "111215315");

    SMP_TRACE_WARNING("%s: smp packet length %d too short: must be at least 1",

                      __func__, p_buf->len);

    osi_free(p_buf);

    return;

  }



  STREAM_TO_UINT8(cmd, p);



  SMP_TRACE_EVENT("%s: SMDBG l2c, cmd=0x%x", __func__, cmd);
@@ -282,6 +291,14 @@ static void smp_br_data_received(uint16_t channel, const RawAddress& bd_addr, 
  uint8_t cmd;

  SMP_TRACE_EVENT("SMDBG l2c %s", __func__);



  if (p_buf->len < 1) {

    android_errorWriteLog(0x534e4554, "111215315");

    SMP_TRACE_WARNING("%s: smp packet length %d too short: must be at least 1",

                      __func__, p_buf->len);

    osi_free(p_buf);

    return;

  }



  STREAM_TO_UINT8(cmd, p);



  /* sanity check */