Add bound check for rfc_parse_data

Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0
(cherry picked from commit 6039cb7225733195192b396ad19c528800feb735)

2 files changed, 13 insertions, 8 deletions

diff --git a/stack/include/rfcdefs.h b/stack/include/rfcdefs.h
index dcc37bc72..1c751f3f5 100644
--- a/stack/include/rfcdefs.h
+++ b/stack/include/rfcdefs.h
@@ -90,13 +90,6 @@
     pf   = (*p_data++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET;\
 }
 
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data)          \
-{                                                           \
-    ea = (*p_data & RFCOMM_EA);                             \
-    length = (*p_data++ >> RFCOMM_SHIFT_LENGTH1);           \
-    if (!ea) length += (*p_data++ << RFCOMM_SHIFT_LENGTH2); \
-}
-
 #define RFCOMM_FRAME_IS_CMD(initiator, cr)                  \
     (( (initiator) && !(cr)) || (!(initiator) &&  (cr)))
 
diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c
index c87cc2abd..c234430c8 100644
--- a/stack/rfcomm/rfc_ts_frames.c
+++ b/stack/rfcomm/rfc_ts_frames.c
@@ -602,7 +602,19 @@ UINT8 rfc_parse_data (tRFC_MCB *p_mcb, MX_FRAME *p_frame, BT_HDR *p_buf)
         return (RFC_EVENT_BAD_FRAME);
     }
     RFCOMM_PARSE_TYPE_FIELD (p_frame->type, p_frame->pf, p_data);
-    RFCOMM_PARSE_LEN_FIELD (eal, len, p_data);
+
+    eal = *(p_data)&RFCOMM_EA;
+    len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
+    if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN)
+    {
+        len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
+    }
+    else if (eal == 0)
+    {
+        RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
+        LOG_ERROR(LOG_TAG, "78288018");
+        return RFC_EVENT_BAD_FRAME;
+    }
 
     p_buf->len      -= (3 + !ead + !eal + 1);  /* Additional 1 for FCS */
     p_buf->offset   += (3 + !ead + !eal);