diff options
-rw-r--r-- | bta/pan/bta_pan_act.c | 10 | ||||
-rw-r--r-- | include/bt_target.h | 4 |
2 files changed, 14 insertions, 0 deletions
diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c index c81fe7173..bb502db95 100644 --- a/bta/pan/bta_pan_act.c +++ b/bta/pan/bta_pan_act.c @@ -27,6 +27,8 @@ #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) #include "btu.h" +#include <cutils/log.h> + #include "bta_api.h" #include "bta_sys.h" #include "gki.h" @@ -230,6 +232,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset ) { /* offset smaller than data structure in front of actual data */ + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > + PAN_BUF_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, + p_buf->len); + GKI_freebuf(p_buf); + return; + } p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID ); if(!p_new_buf) { diff --git a/include/bt_target.h b/include/bt_target.h index 6e9a835c6..e5e6280b5 100644 --- a/include/bt_target.h +++ b/include/bt_target.h @@ -334,6 +334,10 @@ #define AVDT_DATA_POOL_SIZE GKI_BUF3_SIZE #endif +#ifndef PAN_BUF_SIZE +#define PAN_BUF_SIZE GKI_BUF3_SIZE +#endif + #ifndef PAN_POOL_ID #define PAN_POOL_ID GKI_POOL_ID_3 /* Maximum amount of the shared buffer to allocate for PAN */ |