ACL: Drop broadcasts

Bug: 169327567
Test: compiles
Tag: #security
Change-Id: Id4231fd7a142d630a2ada0f41a90e01afc011045
Merged-In: Id4231fd7a142d630a2ada0f41a90e01afc011045
(cherry picked from commit 83c32e8e8c0c27333779c64b74473cad86670265)

1 files changed, 10 insertions, 0 deletions

diff --git a/hci/src/packet_fragmenter.cc b/hci/src/packet_fragmenter.cc
index ebd9c3ada..4c235aee0 100644
--- a/hci/src/packet_fragmenter.cc
+++ b/hci/src/packet_fragmenter.cc
@@ -35,10 +35,12 @@
 #define APPLY_START_FLAG(handle) (((handle)&0xCFFF) | 0x2000)
 #define SUB_EVENT(event) ((event)&MSG_SUB_EVT_MASK)
 #define GET_BOUNDARY_FLAG(handle) (((handle) >> 12) & 0x0003)
+#define GET_BROADCAST_FLAG(handle) (((handle) >> 14) & 0x0003)
 
 #define HANDLE_MASK 0x0FFF
 #define START_PACKET_BOUNDARY 2
 #define CONTINUATION_PACKET_BOUNDARY 1
+#define POINT_TO_POINT 0
 #define L2CAP_HEADER_PDU_LEN_SIZE 2
 #define L2CAP_HEADER_CID_SIZE 2
 #define L2CAP_HEADER_SIZE (L2CAP_HEADER_PDU_LEN_SIZE + L2CAP_HEADER_CID_SIZE)
@@ -131,8 +133,16 @@ static void reassemble_and_dispatch(BT_HDR* packet) {
     CHECK(acl_length == packet->len - HCI_ACL_PREAMBLE_SIZE);
 
     uint8_t boundary_flag = GET_BOUNDARY_FLAG(handle);
+    uint8_t broadcast_flag = GET_BROADCAST_FLAG(handle);
     handle = handle & HANDLE_MASK;
 
+    if (broadcast_flag != POINT_TO_POINT) {
+      LOG_WARN(LOG_TAG, "dropping broadcast packet");
+      android_errorWriteLog(0x534e4554, "169327567");
+      buffer_allocator->free(packet);
+      return;
+    }
+
     if (boundary_flag == START_PACKET_BOUNDARY) {
       if (acl_length < 2) {
         LOG_WARN(LOG_TAG, "%s invalid acl_length %d", __func__, acl_length);