diff options
author | Myles Watson <mylesgw@google.com> | 2018-10-25 14:33:33 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2019-02-03 12:39:53 +0100 |
commit | 2f5769c8a107197c3c3692a0cb8cf6b8795d0c0e (patch) | |
tree | a2a7cabb8af53657dc04aa7e5d7fe92844f7e416 | |
parent | ca40fc59e97f6faa6974a6a6c0d54dbf81688242 (diff) | |
download | android_system_bt-2f5769c8a107197c3c3692a0cb8cf6b8795d0c0e.tar.gz android_system_bt-2f5769c8a107197c3c3692a0cb8cf6b8795d0c0e.tar.bz2 android_system_bt-2f5769c8a107197c3c3692a0cb8cf6b8795d0c0e.zip |
HH: Check parameter length in bta_hh_ctrl_dat_act
Bug: 116108738
Test: send a malformed GET_IDLE command with no parameters
Change-Id: Ic57e748a06ea6d4fc16868310d3423ee71a7ac8c
(cherry picked from commit b8fbe73f0d32686e8393bfe07a84b6f0e8829caf)
CVE-2018-9591
-rw-r--r-- | bta/hh/bta_hh_act.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/bta/hh/bta_hh_act.c b/bta/hh/bta_hh_act.c index fef1a3578..3076d15c1 100644 --- a/bta/hh/bta_hh_act.c +++ b/bta/hh/bta_hh_act.c @@ -26,6 +26,7 @@ #if defined(BTA_HH_INCLUDED) && (BTA_HH_INCLUDED == TRUE) +#include <log/log.h> #include <string.h> #include "bta_sys.h" @@ -782,6 +783,13 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB *p_cb, tBTA_HH_DATA * p_data) APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]", bta_hh_get_w4_event(p_cb->w4_evt)); #endif + if (pdata->len == 0) + { + android_errorWriteLog(0x534e4554, "116108738"); + p_cb->w4_evt = 0; + GKI_freebuf(pdata); + return; + } hs_data.status = BTA_HH_OK; hs_data.handle = p_cb->hid_handle; |