Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb614b99 authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Add packet length checks in l2cble_process_sig_cmd 

Bug: 80261585
Test: compilation
Change-Id: Icf55747dc948bcce140a12658237554938e2d717
Merged-In: Icf55747dc948bcce140a12658237554938e2d717
parent 6c619e95

system/stack/l2cap/l2c_ble.c

+14 −0
Original line number Diff line number Diff line
@@ -31,6 +31,7 @@ 
#include "btm_int.h"

#include "hcimsgs.h"

#include "device/include/controller.h"

#include "log/log.h"



#if (BLE_INCLUDED == TRUE)

static void l2cble_start_conn_update (tL2C_LCB *p_lcb);
@@ -601,6 +602,13 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) 


    p_pkt_end = p + pkt_len;



    if (p + 4 > p_pkt_end)

    {

        android_errorWriteLog(0x534e4554, "80261585");

        L2CAP_TRACE_WARNING ("%s bad packet length", __func__);

        return;

    }



    STREAM_TO_UINT8  (cmd_code, p);

    STREAM_TO_UINT8  (id, p);

    STREAM_TO_UINT16 (cmd_len, p);
@@ -625,6 +633,12 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) 
            break;



        case L2CAP_CMD_BLE_UPDATE_REQ:

            if (p + 8 > p_pkt_end)

            {

                android_errorWriteLog(0x534e4554, "80261585");

                L2CAP_TRACE_WARNING ("%s bad update_req packet length", __func__);

                return;

            }

            STREAM_TO_UINT16 (min_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (max_interval, p); /* 0x0006 - 0x0C80 */

            STREAM_TO_UINT16 (latency, p);  /* 0x0000 - 0x03E8 */