system/bt
Revisión | 1c90ccea1068a7081a1268621f4c527a2f181606 (tree) |
---|---|
Tiempo | 2018-10-20 01:33:43 |
Autor | android-build-team Robot <android-build-team-robot@goog...> |
Commiter | android-build-team Robot |
Merge cherrypicks of [5313290, 5313323, 5313343, 5313415, 5313291, 5313441, 5313557, 5313344, 5313383, 5313384, 5313324, 5313325, 5313326, 5313294, 5313295, 5313296, 5313498] into oc-m8-release
Change-Id: If387e42363401bc4f4c362de2b66e910b38d7239
@@ -842,6 +842,14 @@ void l2c_lcc_proc_pdu(tL2C_CCB* p_ccb, BT_HDR* p_buf) { | ||
842 | 842 | return; |
843 | 843 | } |
844 | 844 | |
845 | + if (sdu_length < p_buf->len) { | |
846 | + L2CAP_TRACE_ERROR("%s: Invalid sdu_length: %d", __func__, sdu_length); | |
847 | + android_errorWriteWithInfoLog(0x534e4554, "112321180", -1, NULL, 0); | |
848 | + /* Discard the buffer */ | |
849 | + osi_free(p_buf); | |
850 | + return; | |
851 | + } | |
852 | + | |
845 | 853 | p_data = (BT_HDR*)osi_malloc(L2CAP_MAX_BUF_SIZE); |
846 | 854 | if (p_data == NULL) { |
847 | 855 | osi_free(p_buf); |
@@ -277,6 +277,11 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
277 | 277 | uint16_t total, cur_handles, orig; |
278 | 278 | uint8_t cont_len; |
279 | 279 | |
280 | + if (p_reply + 8 > p_reply_end) { | |
281 | + android_errorWriteLog(0x534e4554, "74249842"); | |
282 | + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); | |
283 | + return; | |
284 | + } | |
280 | 285 | /* Skip transaction, and param len */ |
281 | 286 | p_reply += 4; |
282 | 287 | BE_STREAM_TO_UINT16(total, p_reply); |
@@ -295,6 +300,12 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
295 | 300 | if (p_ccb->num_handles > sdp_cb.max_recs_per_search) |
296 | 301 | p_ccb->num_handles = sdp_cb.max_recs_per_search; |
297 | 302 | |
303 | + if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) { | |
304 | + android_errorWriteLog(0x534e4554, "74249842"); | |
305 | + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); | |
306 | + return; | |
307 | + } | |
308 | + | |
298 | 309 | for (xx = orig; xx < p_ccb->num_handles; xx++) |
299 | 310 | BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply); |
300 | 311 |