system/bt
| リビジョン | 589796bd7caccc95463948173d7bff595f28dabc (tree) |
|---|---|
| 日時 | 2018-10-08 17:42:07 |
| 作者 | Cheney Ni <cheneyni@goog...> |
| コミッター | Vasyl Gello |
Add packet length checks in mca_ccb_hdl_req
Bug: 110791536
Test: manual
Change-Id: Ica5d8037246682fdb190b2747a86ed8d44c2869a
(cherry picked from commit 4de7ccdd914b7a178df9180d15f675b257ea6e02)
stack/mcap/mca_cact.c (diff)| @@ -22,6 +22,7 @@ | ||
| 22 | 22 | * Functions. |
| 23 | 23 | * |
| 24 | 24 | ******************************************************************************/ |
| 25 | +#include <log/log.h> | |
| 25 | 26 | #include <string.h> |
| 26 | 27 | #include "bt_target.h" |
| 27 | 28 | #include "bt_utils.h" |
| @@ -272,9 +273,18 @@ void mca_ccb_hdl_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data) | ||
| 272 | 273 | p_rx_msg = (tMCA_CCB_MSG *)p_pkt; |
| 273 | 274 | p = (UINT8 *)(p_pkt + 1) + p_pkt->offset; |
| 274 | 275 | evt_data.hdr.op_code = *p++; |
| 275 | - BE_STREAM_TO_UINT16 (evt_data.hdr.mdl_id, p); | |
| 276 | 276 | reject_opcode = evt_data.hdr.op_code+1; |
| 277 | 277 | |
| 278 | + if (p_pkt->len >= 3) | |
| 279 | + { | |
| 280 | + BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p); | |
| 281 | + } | |
| 282 | + else | |
| 283 | + { | |
| 284 | + android_errorWriteLog(0x534e4554, "110791536"); | |
| 285 | + evt_data.hdr.mdl_id = 0; | |
| 286 | + } | |
| 287 | + | |
| 278 | 288 | MCA_TRACE_DEBUG ("received mdl id: %d ", evt_data.hdr.mdl_id); |
| 279 | 289 | if (p_ccb->status == MCA_CCB_STAT_PENDING) |
| 280 | 290 | { |
Fork