Fix OOB read in process_l2cap_cmd

Test: manual Bug: 79488381 Change-Id: I723866ed40d3647fed99875f659bb95df96a6969 (cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)
author: Hansong Zhang <hsz@google.com> 2018-07-12 10:44:29 -0700
committer: Tim Schumacher <timschumi@gmx.de> 2018-10-22 21:09:17 +0200
commit: cb710f8bacb116024aef31eac5bf877e9257faff (patch)
tree: e59c94325de7a13ae47a1d8f89de61e6c480a1a1
parent: 6e9991cbd8b59feb82137437ccb40946be0adb32 (diff)
download: android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.tar.gz
android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.tar.bz2
android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c
index 9668c9bd5..0ef1fbb6e 100644
--- a/stack/l2cap/l2c_main.c
+++ b/stack/l2cap/l2c_main.c
@@ -645,6 +645,7 @@ static void process_l2cap_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len)
                     /* sanity check option length */
                     if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len)
                     {
+                        if (p + cfg_len > p_next_cmd) return;
                         p += cfg_len;
                         if ((cfg_code & 0x80) == 0)
                         {
author	Hansong Zhang <hsz@google.com>	2018-07-12 10:44:29 -0700
committer	Tim Schumacher <timschumi@gmx.de>	2018-10-22 21:09:17 +0200
commit	cb710f8bacb116024aef31eac5bf877e9257faff (patch)
tree	e59c94325de7a13ae47a1d8f89de61e6c480a1a1
parent	6e9991cbd8b59feb82137437ccb40946be0adb32 (diff)
download	android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.tar.gz android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.tar.bz2 android_system_bt-cb710f8bacb116024aef31eac5bf877e9257faff.zip