Add bounds check to l2cble_process_sig_cmd L2CAP_CMD_DISC_REQ

Bug: 74121659 Test: Compiles Change-Id: Idf58e7b25b41ae1bd43cdd51de424b18e03cc7e8 (cherry picked from commit ca4f8a18bce9331360144f1dbc51db1e2525bcc3)
author: Ajay Panicker <apanicke@google.com> 2018-04-12 17:03:09 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-06-04 23:32:46 +0000
commit: 8ec3109302ebe9a964a6aca532d27484959f1737 (patch)
tree: b93ada29843a702a313b22c03051162c45f5c899
parent: fa85877401bf437c1f714beabd5ddb606abf9156 (diff)
download: bt-8ec3109302ebe9a964a6aca532d27484959f1737.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc
index 6c7820f66..17ce2d305 100644
--- a/stack/l2cap/l2c_ble.cc
+++ b/stack/l2cap/l2c_ble.cc
@@ -33,6 +33,7 @@
 #include "hcimsgs.h"
 #include "l2c_int.h"
 #include "l2cdefs.h"
+#include "log/log.h"
 #include "osi/include/osi.h"
 #include "stack_config.h"
 
@@ -788,6 +789,10 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
       break;
 
     case L2CAP_CMD_DISC_REQ:
+      if (p + 4 > p_pkt_end) {
+        android_errorWriteLog(0x534e4554, "74121659");
+        return;
+      }
       STREAM_TO_UINT16(lcid, p);
       STREAM_TO_UINT16(rcid, p);
author	Ajay Panicker <apanicke@google.com>	2018-04-12 17:03:09 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-06-04 23:32:46 +0000
commit	8ec3109302ebe9a964a6aca532d27484959f1737 (patch)
tree	b93ada29843a702a313b22c03051162c45f5c899
parent	fa85877401bf437c1f714beabd5ddb606abf9156 (diff)
download	bt-8ec3109302ebe9a964a6aca532d27484959f1737.tar.gz