diff options
author | Keith Mok <keithmok@google.com> | 2022-09-23 18:37:35 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-09-23 18:37:35 +0000 |
commit | b610e94de7de4b78f8d8dcc23ce7887479f9c1f2 (patch) | |
tree | 6f2b6cbb07cbd343ac55f8dc26422b0e7ccfd020 | |
parent | 2c5d1d2f5cf82d5f84bd6811c0eb229334f38100 (diff) | |
parent | ba7d7e4560a2f415e6d3fc9fbe3503e45cef88d0 (diff) | |
download | bt-b610e94de7de4b78f8d8dcc23ce7887479f9c1f2.tar.gz |
Merge "Add length check when copy AVDT and AVCT packet" into qt-dev am: ba7d7e4560
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/19680473
Change-Id: If3f87e5cbebba16e003c92ca8f690cb54cec8aa6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | stack/avct/avct_lcb_act.cc | 8 | ||||
-rw-r--r-- | stack/avdt/avdt_msg.cc | 6 |
2 files changed, 11 insertions, 3 deletions
diff --git a/stack/avct/avct_lcb_act.cc b/stack/avct/avct_lcb_act.cc index 5ea8e6551..c980f0a22 100644 --- a/stack/avct/avct_lcb_act.cc +++ b/stack/avct/avct_lcb_act.cc @@ -91,13 +91,19 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) { if (p_lcb->p_rx_msg != NULL) AVCT_TRACE_WARNING("Got start during reassembly"); - osi_free(p_lcb->p_rx_msg); + osi_free_and_reset((void**)&p_lcb->p_rx_msg); /* * Allocate bigger buffer for reassembly. As lower layers are * not aware of possible packet size after reassembly, they * would have allocated smaller buffer. */ + if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { + android_errorWriteLog(0x534e4554, "232023771"); + osi_free(p_buf); + p_ret = NULL; + return p_ret; + } p_lcb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); memcpy(p_lcb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc index 406f7f7ba..bf83d191e 100644 --- a/stack/avdt/avdt_msg.cc +++ b/stack/avdt/avdt_msg.cc @@ -1250,11 +1250,13 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { * not aware of possible packet size after reassembly, they * would have allocated smaller buffer. */ - p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) { android_errorWriteLog(0x534e4554, "232023771"); - return NULL; + osi_free(p_buf); + p_ret = NULL; + return p_ret; } + p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len); /* Free original buffer */ |