From 2bb37becb8efe5ba92f2804cf091bde33c8290d4 Mon Sep 17 00:00:00 2001
From: Pavlin Radoslavov <pavlin@google.com>
Date: Thu, 6 Jul 2017 13:39:02 -0700
Subject: Allocate buffers of the right size when BT_HDR is included

Bug: 63146105
Test: External script
Change-Id: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
Merged-In: I1f2c871e3fcf57aabdad9d07905e6dae643bd496
(cherry picked from commit 8810ffba990f8f53172c445ebde8707525bb7813)
CVE-2017-0781
---
 stack/mcap/mca_cact.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'stack/mcap')

diff --git a/stack/mcap/mca_cact.c b/stack/mcap/mca_cact.c
index fd1779e06..8ac75bf21 100644
--- a/stack/mcap/mca_cact.c
+++ b/stack/mcap/mca_cact.c
@@ -124,7 +124,7 @@ void mca_ccb_snd_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
         p_ccb->p_tx_req = p_msg;
         if (!p_ccb->cong)
         {
-            p_pkt = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU);
+            p_pkt = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU + sizeof(BT_HDR));
             if (p_pkt)
             {
                 p_pkt->offset = L2CAP_MIN_OFFSET;
@@ -171,7 +171,7 @@ void mca_ccb_snd_rsp(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
 
     MCA_TRACE_DEBUG ("mca_ccb_snd_rsp cong=%d req=%d", p_ccb->cong, p_msg->op_code);
     /* assume that API functions verified the parameters */
-    p_pkt = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU);
+    p_pkt = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU + sizeof(BT_HDR));
     if (p_pkt)
     {
         p_pkt->offset = L2CAP_MIN_OFFSET;
@@ -412,7 +412,7 @@ void mca_ccb_hdl_req(tMCA_CCB *p_ccb, tMCA_CCB_EVT *p_data)
     if (((reject_code != MCA_RSP_SUCCESS) && (evt_data.hdr.op_code != MCA_OP_SYNC_INFO_IND))
         || send_rsp)
     {
-        p_buf = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU);
+        p_buf = (BT_HDR *)GKI_getbuf (MCA_CTRL_MTU + sizeof(BT_HDR));
         if (p_buf)
         {
             p_buf->offset = L2CAP_MIN_OFFSET;
-- 
cgit v1.2.3