diff options
| author | Marie Janssen <jamuraa@google.com> | 2016-05-12 15:30:16 -0700 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-05-27 11:31:41 -0700 |
| commit | 514139f4b40cbb035bb92f3e24d5a389d75db9e6 (patch) | |
| tree | 9ea3d10342f83d43e2213ff157cd5ff4293ff082 | |
| parent | 37c88107679d36c419572732b4af6e18bb2f7dce (diff) | |
| download | android_system_bt-514139f4b40cbb035bb92f3e24d5a389d75db9e6.tar.gz android_system_bt-514139f4b40cbb035bb92f3e24d5a389d75db9e6.tar.bz2 android_system_bt-514139f4b40cbb035bb92f3e24d5a389d75db9e6.zip | |
DO NOT MERGE btif: check overflow on create_pbuf size
Bug: 27930580
Change-Id: Ieb1f23f9a8a937b21f7c5eca92da3b0b821400e6
| -rw-r--r-- | btif/src/btif_hh.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/btif/src/btif_hh.c b/btif/src/btif_hh.c index 633975d5d..8b977ae34 100644 --- a/btif/src/btif_hh.c +++ b/btif/src/btif_hh.c @@ -33,6 +33,8 @@ #define LOG_TAG "bt_btif_hh" +#include <cutils/log.h> + #include "bta_api.h" #include "bta_hh_api.h" #include "btif_storage.h" @@ -254,7 +256,12 @@ static void toggle_os_keylockstates(int fd, int changedlockstates) *******************************************************************************/ static BT_HDR *create_pbuf(UINT16 len, UINT8 *data) { - BT_HDR* p_buf = GKI_getbuf((UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR))); + UINT16 buflen = (UINT16) (len + BTA_HH_MIN_OFFSET + sizeof(BT_HDR)); + if (buflen < len) { + android_errorWriteWithInfoLog(0x534e4554, "28672558", -1, NULL, 0); + return NULL; + } + BT_HDR* p_buf = GKI_getbuf(buflen); if (p_buf) { UINT8* pbuf_data; |