summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAjay Panicker <apanicke@google.com>2018-04-12 17:03:09 -0700
committerTim Schumacher <timschumi@gmx.de>2018-10-22 21:03:16 +0200
commit254252341683ee2afe167de3c26f82001806d344 (patch)
treeca02e05795d7d96e41c41b9166a37f19cc0b7330
parent5c361430980998f0e0afa07e097b9478010ac3bf (diff)
downloadandroid_system_bt-254252341683ee2afe167de3c26f82001806d344.tar.gz
android_system_bt-254252341683ee2afe167de3c26f82001806d344.tar.bz2
android_system_bt-254252341683ee2afe167de3c26f82001806d344.zip
Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ
Bug: 74121659 Test: Compiles Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8
Diffstat
-rw-r--r--stack/l2cap/l2c_ble.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_ble.c b/stack/l2cap/l2c_ble.c
index 92c8f03fd..eca22548c 100644
--- a/stack/l2cap/l2c_ble.c
+++ b/stack/l2cap/l2c_ble.c
@@ -31,6 +31,7 @@
#include "btm_int.h"
#include "hcimsgs.h"
#include "device/include/controller.h"
+#include "log/log.h"
#if (BLE_INCLUDED == TRUE)
static void l2cble_start_conn_update (tL2C_LCB *p_lcb);
@@ -1203,6 +1204,10 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
}
break;
case L2CAP_CMD_DISC_REQ:
+ if (p + 4 > p_pkt_end) {
+ android_errorWriteLog(0x534e4554, "74121659");
+ return;
+ }
STREAM_TO_UINT16 (lcid, p);
STREAM_TO_UINT16 (rcid, p);
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 16:12:35 +0000