From a506b2fdd21041635f0649cdfcbdf83cea54db06 Mon Sep 17 00:00:00 2001 From: Pavlin Radoslavov Date: Tue, 14 Mar 2017 14:46:15 -0700 Subject: resolve merge conflicts of a3ee2e35 to nyc-dev Bug: 34946955 AOSP-Change-Id: Ieff690edd3aa527a0639483ec8e1e3b661f0ecc4 Merged-In: I0b6f50dee05a58db8c043b4d01fb58c9acbeede9 CVE-2017-0602 Change-Id: I2ef24140c3d26b3e6cf113195951fe57f61f4c1e --- stack/l2cap/l2c_main.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/stack/l2cap/l2c_main.c b/stack/l2cap/l2c_main.c index 18889d47e..0b66ea66d 100644 --- a/stack/l2cap/l2c_main.c +++ b/stack/l2cap/l2c_main.c @@ -24,6 +24,8 @@ #include #include +#include + #include #include "device/include/controller.h" @@ -189,6 +191,13 @@ void l2c_rcv_acl_data (BT_HDR *p_msg) STREAM_TO_UINT16 (hci_len, p); p_msg->offset += 4; L2CAP_TRACE_VERBOSE("%s: received packet from handle(%04x) of len (%d)", __FUNCTION__, handle, hci_len); + if (hci_len < L2CAP_PKT_OVERHEAD) { + /* Must receive at least the L2CAP length and CID */ + L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header"); + android_errorWriteLog(0x534e4554, "34946955"); + osi_free(p_msg); + return; + } /* Extract the length and CID */ STREAM_TO_UINT16 (l2cap_len, p); @@ -212,18 +221,8 @@ void l2c_rcv_acl_data (BT_HDR *p_msg) } } - if (hci_len >= L2CAP_PKT_OVERHEAD) /* Must receive at least the L2CAP length and CID.*/ - { - p_msg->len = hci_len - L2CAP_PKT_OVERHEAD; - p_msg->offset += L2CAP_PKT_OVERHEAD; - } - else - { - L2CAP_TRACE_WARNING ("L2CAP - got incorrect hci header" ); - GKI_freebuf (p_msg); - return; - } - + p_msg->len = hci_len - L2CAP_PKT_OVERHEAD; + p_msg->offset += L2CAP_PKT_OVERHEAD; if (l2cap_len != p_msg->len) { L2CAP_TRACE_WARNING ("L2CAP - bad length in pkt. Exp: %d Act: %d", -- cgit v1.2.3