Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit 8810ffba990f8f53172c445ebde8707525bb7813)
CVE-2017-0781

1 files changed, 2 insertions, 2 deletions

diff --git a/stack/l2cap/l2cap_client.c b/stack/l2cap/l2cap_client.c
index 95b8e0131..e4c7d82f6 100644
--- a/stack/l2cap/l2cap_client.c
+++ b/stack/l2cap/l2cap_client.c
@@ -372,7 +372,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
   assert(packet != NULL);
 
   // TODO(sharvil): eliminate copy into BT_HDR.
-  BT_HDR *bt_packet = GKI_getbuf(buffer_length(packet) + L2CAP_MIN_OFFSET);
+  BT_HDR *bt_packet = GKI_getbuf(buffer_length(packet) + L2CAP_MIN_OFFSET + sizeof(BT_HDR));
   bt_packet->offset = L2CAP_MIN_OFFSET;
   bt_packet->len = buffer_length(packet);
   memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet));
@@ -386,7 +386,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet) {
       break;
     }
 
-    BT_HDR *fragment = GKI_getbuf(client->remote_mtu + L2CAP_MIN_OFFSET);
+    BT_HDR *fragment = GKI_getbuf(client->remote_mtu + L2CAP_MIN_OFFSET + sizeof(BT_HDR));
     fragment->offset = L2CAP_MIN_OFFSET;
     fragment->len = client->remote_mtu;
     memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu);