diff options
author | Ugo Yu <ugoyu@google.com> | 2018-08-08 16:09:58 +0800 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:48 +0000 |
commit | 10de1343b6e3b65e913b8d9281b7bb5a32c841a3 (patch) | |
tree | 2019d7994dda5b1769f67230eeeb6e657fada3cb | |
parent | 9c8d53b94c53e1ba4e6cb7e060fe19634c4b3642 (diff) | |
download | android_system_bt-10de1343b6e3b65e913b8d9281b7bb5a32c841a3.tar.gz android_system_bt-10de1343b6e3b65e913b8d9281b7bb5a32c841a3.tar.bz2 android_system_bt-10de1343b6e3b65e913b8d9281b7bb5a32c841a3.zip |
Add packet length check in smp_proc_master_id
Bug: 111937027
Test: manual
Change-Id: I1144c9879e84fa79d68ad9d5fece4f58e2a3b075
(cherry picked from commit c8294662d07a98e9b8b1cab1ab681ec0805ce4e8)
-rw-r--r-- | stack/smp/smp_act.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c index 4c6136ab9..bcd96d12b 100644 --- a/stack/smp/smp_act.c +++ b/stack/smp/smp_act.c @@ -975,6 +975,16 @@ void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) tBTM_LE_PENC_KEYS le_key; SMP_TRACE_DEBUG("%s", __func__); + + if (p_cb->rcvd_cmd_len < 11) + { + // 1(Code) + 2(EDIV) + 8(Rand) + android_errorWriteLog(0x534e4554, "111937027"); + SMP_TRACE_ERROR("%s: Invalid command length: %d, should be at least 11", + __func__, p_cb->rcvd_cmd_len); + return; + } + smp_update_key_mask (p_cb, SMP_SEC_KEY_TYPE_ENC, TRUE); STREAM_TO_UINT16(le_key.ediv, p); |