diff options
author | Pavlin Radoslavov <pavlin@google.com> | 2017-07-13 19:22:46 +0000 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2017-07-13 19:22:46 +0000 |
commit | df16497d1cc6080788310e443b874d9a7db5695d (patch) | |
tree | 6297acb766e0f12a67dde57c90e00ed95e4ff266 | |
parent | 9dc57eff7a2d6c2d526005310b49bb5f2e6f7645 (diff) | |
parent | 19b22ffe8a37edb1ae78e0c83064dc452e1e79d6 (diff) | |
download | android_system_bt-df16497d1cc6080788310e443b874d9a7db5695d.tar.gz android_system_bt-df16497d1cc6080788310e443b874d9a7db5695d.tar.bz2 android_system_bt-df16497d1cc6080788310e443b874d9a7db5695d.zip |
Merge "Add a missing check for PAN buffer size before copying data" into mnc-dev am: c41ba8a569 am: 494625245f
am: 19b22ffe8a
Change-Id: Ia027b6cc651ffc920d5fafb7f8dad8f442220706
-rw-r--r-- | bta/pan/bta_pan_act.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c index 4ed52e389..7bb3b2c5b 100644 --- a/bta/pan/bta_pan_act.c +++ b/bta/pan/bta_pan_act.c @@ -26,6 +26,8 @@ #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) +#include <cutils/log.h> + #include "bta_api.h" #include "bta_sys.h" #include "gki.h" @@ -206,6 +208,15 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset ) { + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > + GKI_get_pool_bufsize(PAN_POOL_ID)) { + android_errorWriteLog(0x534e4554, "63146237"); + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, + p_buf->len); + GKI_freebuf(p_buf); + return; + } + /* offset smaller than data structure in front of actual data */ p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID ); if(!p_new_buf) |