Merge cherrypicks of [2007123, 2089669, 2072002, 2094113, 1989895, 2094094, 2017568, 2054111, 2054025, 2074928, 2066476, 2092431, 2053944, 2095243, 2092549, 2065088, 2007730, 2008313, 2053983, 2025333, 2094716, 2026590, 2059276, 2089422, 2080090] into nyc-mr2-pixel-monthly-releaseandroid-7.1.2_r33android-7.1.2_r32android-7.1.2_r29android-7.1.2_r27android-7.1.2_r25android-7.1.2_r24android-7.1.2_r17android-7.1.2_r16android-7.1.2_r15nougat-mr2.3-releasenougat-mr2.2-releasenougat-mr2-pixel-release

Change-Id: I15905521312ca9db242ef3eb65125df80b4a9275

1 files changed, 15 insertions, 2 deletions

diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index 286787ea2..7fe3c99bd 100644
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -28,6 +28,8 @@
 #include <stdio.h>
 #include <stddef.h>
 
+#include <log/log.h>
+
 #include "bt_types.h"
 #include "bt_utils.h"
 #include "btm_ble_api.h"
@@ -2285,7 +2287,7 @@ static void btm_ble_parse_adv_data(tBTM_INQ_INFO *p_info, UINT8 *p_data,
 ** Returns          void
 **
 *******************************************************************************/
-void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
+BOOLEAN btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, UINT8 evt_type)
 {
     tBTM_BLE_INQ_CB     *p_le_inq_cb = &btm_cb.ble_ctr_cb.inq_var;
     UINT8 *p_cache;
@@ -2305,8 +2307,16 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, U
         STREAM_TO_UINT8(length, p);
         while ( length && ((p_le_inq_cb->adv_len + length + 1) <= BTM_BLE_CACHE_ADV_DATA_MAX))
         {
+            /* adv record size must be smaller than the total adv data size */
+            if ((length + 1) > data_len) {
+                BTM_TRACE_ERROR("BTM - got incorrect LE advertising data");
+                android_errorWriteLog(0x534e4554, "33899337");
+                return FALSE;
+            }
             /* copy from the length byte & data into cache */
             memcpy(p_cache, p-1, length+1);
+            /* reduce the total data size by size of data copied */
+            data_len -= length + 1;
             /* advance the cache pointer past data */
             p_cache += length+1;
             /* increment cache length */
@@ -2316,6 +2326,7 @@ void btm_ble_cache_adv_data(tBTM_INQ_RESULTS *p_cur, UINT8 data_len, UINT8 *p, U
             STREAM_TO_UINT8(length, p);
         }
     }
+    return TRUE;
 
     /* parse service UUID from adv packet and save it in inq db eir_uuid */
     /* TODO */
@@ -2540,7 +2551,9 @@ BOOLEAN btm_ble_update_inq_result(tINQ_DB_ENT *p_i, UINT8 addr_type, UINT8 evt_t
         BTM_TRACE_WARNING("EIR data too long %d. discard", data_len);
         return FALSE;
     }
-    btm_ble_cache_adv_data(p_cur, data_len, p, evt_type);
+    if (!btm_ble_cache_adv_data(p_cur, data_len, p, evt_type)) {
+        return FALSE;
+    }
 
     p1 = (p + data_len);
     STREAM_TO_UINT8 (rssi, p1);