Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e2ead95c authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Fix possible OOB when receive SMP data"

parents 829835a2 d202dada

system/stack/smp/smp_l2c.cc

+17 −0
Original line number Diff line number Diff line
@@ -22,6 +22,7 @@ 
 *

 ******************************************************************************/



#include <cutils/log.h>

#include "bt_target.h"



#include <string.h>
@@ -141,6 +142,14 @@ static void smp_data_received(uint16_t channel, const RawAddress& bd_addr, 
  uint8_t* p = (uint8_t*)(p_buf + 1) + p_buf->offset;

  uint8_t cmd;



  if (p_buf->len < 1) {

    android_errorWriteLog(0x534e4554, "111215315");

    SMP_TRACE_WARNING("%s: smp packet length %d too short: must be at least 1",

                      __func__, p_buf->len);

    osi_free(p_buf);

    return;

  }



  STREAM_TO_UINT8(cmd, p);



  SMP_TRACE_EVENT("%s: SMDBG l2c, cmd=0x%x", __func__, cmd);
@@ -282,6 +291,14 @@ static void smp_br_data_received(uint16_t channel, const RawAddress& bd_addr, 
  uint8_t cmd;

  SMP_TRACE_EVENT("SMDBG l2c %s", __func__);



  if (p_buf->len < 1) {

    android_errorWriteLog(0x534e4554, "111215315");

    SMP_TRACE_WARNING("%s: smp packet length %d too short: must be at least 1",

                      __func__, p_buf->len);

    osi_free(p_buf);

    return;

  }



  STREAM_TO_UINT8(cmd, p);



  /* sanity check */