Merge "Add length check when copy AVDT and AVCT packet" into qt-dev am: ba7d7e4560

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/19680473 Change-Id: If3f87e5cbebba16e003c92ca8f690cb54cec8aa6 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
author: Keith Mok <keithmok@google.com> 2022-09-23 18:37:35 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> 2022-09-23 18:37:35 +0000
commit: b610e94de7de4b78f8d8dcc23ce7887479f9c1f2 (patch)
tree: 6f2b6cbb07cbd343ac55f8dc26422b0e7ccfd020
parent: 2c5d1d2f5cf82d5f84bd6811c0eb229334f38100 (diff)
parent: ba7d7e4560a2f415e6d3fc9fbe3503e45cef88d0 (diff)
download: bt-b610e94de7de4b78f8d8dcc23ce7887479f9c1f2.tar.gz
2 files changed, 11 insertions, 3 deletions
diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc
index 5ea8e6551..c980f0a22 100644
--- a/stack/avct/avct_lcb_act.cc
+++ b/stack/avct/avct_lcb_act.cc
@@ -91,13 +91,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
     if (p_lcb->p_rx_msg != NULL)
       AVCT_TRACE_WARNING("Got start during reassembly");
 
-    osi_free(p_lcb->p_rx_msg);
+    osi_free_and_reset((void**)&p_lcb->p_rx_msg);
 
     /*
      * Allocate bigger buffer for reassembly. As lower layers are
      * not aware of possible packet size after reassembly, they
      * would have allocated smaller buffer.
      */
+    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+      android_errorWriteLog(0x534e4554, "232023771");
+      osi_free(p_buf);
+      p_ret = NULL;
+      return p_ret;
+    }
     p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
     memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
 
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index 406f7f7ba..bf83d191e 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -1250,11 +1250,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
      * not aware of possible packet size after reassembly, they
      * would have allocated smaller buffer.
      */
-    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
     if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
       android_errorWriteLog(0x534e4554, "232023771");
-      return NULL;
+      osi_free(p_buf);
+      p_ret = NULL;
+      return p_ret;
     }
+    p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
     memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
 
     /* Free original buffer */
author	Keith Mok <keithmok@google.com>	2022-09-23 18:37:35 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	2022-09-23 18:37:35 +0000
commit	b610e94de7de4b78f8d8dcc23ce7887479f9c1f2 (patch)
tree	6f2b6cbb07cbd343ac55f8dc26422b0e7ccfd020
parent	2c5d1d2f5cf82d5f84bd6811c0eb229334f38100 (diff)
parent	ba7d7e4560a2f415e6d3fc9fbe3503e45cef88d0 (diff)
download	bt-b610e94de7de4b78f8d8dcc23ce7887479f9c1f2.tar.gz