diff options
| author | Hansong Zhang <hsz@google.com> | 2018-06-07 14:25:09 -0700 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-10-22 21:09:18 +0200 |
| commit | dd9e0da3af8a5d148a52ba690eb1012362abf88a (patch) | |
| tree | 35ed230fe83ce6ec26a2114ef81a7675b05a60d8 | |
| parent | cb710f8bacb116024aef31eac5bf877e9257faff (diff) | |
| download | android_system_bt-dd9e0da3af8a5d148a52ba690eb1012362abf88a.tar.gz android_system_bt-dd9e0da3af8a5d148a52ba690eb1012362abf88a.tar.bz2 android_system_bt-dd9e0da3af8a5d148a52ba690eb1012362abf88a.zip | |
HID Host: Check L2CAP packet data length
Bug: 80493272
Test: manual
Change-Id: I8b1acd11616684729752195fabb4fa34c46a508d
(cherry picked from commit ca47a05acb66218ff2123f8d4642961f7f2eb5e2)
| -rw-r--r-- | stack/hid/hidh_conn.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/stack/hid/hidh_conn.c b/stack/hid/hidh_conn.c index 3e9a5c423..f41650554 100644 --- a/stack/hid/hidh_conn.c +++ b/stack/hid/hidh_conn.c @@ -43,6 +43,8 @@ #include "hidh_int.h" #include "bt_utils.h" +#include "log/log.h" + #include "device/include/interop.h" static UINT8 find_conn_by_cid (UINT16 cid); @@ -848,6 +850,13 @@ static void hidh_l2cif_data_ind (UINT16 l2cap_cid, BT_HDR *p_msg) return; } + if (p_msg->len < 1) { + HIDH_TRACE_WARNING("Rcvd L2CAP data, invalid length %d, should be >= 1", + p_msg->len); + GKI_freebuf(p_msg); + android_errorWriteLog(0x534e4554, "80493272"); + return; + } ttype = HID_GET_TRANS_FROM_HDR(*p_data); param = HID_GET_PARAM_FROM_HDR(*p_data); |