Add BT_HDR length check for received AVCTP packets

Bug: 79944113 Test: Code compilation Change-Id: I02c76ab8fad61669394062bf34656ea32f465b6a Merged-In: I02c76ab8fad61669394062bf34656ea32f465b6a (cherry picked from commit 4262b932e487b19d578d79e0120cf03291f44efc) (cherry picked from commit fa538540a7f147b8440ac49735a8dc596ce8dfc7)
author: Pavlin Radoslavov <pavlin@google.com> 2018-05-31 11:04:54 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-08-03 19:16:50 +0000
commit: c9487370cc1883f93691c92acbb984c758d9605d (patch)
tree: 505c4ec56606b63a63fe0cf818c5cefe8274b79b
parent: dd77b7decc1f02532e1f7cec6d6dde99b29c99ff (diff)
download: bt-c9487370cc1883f93691c92acbb984c758d9605d.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index 70d8ce743..011a52db7 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -69,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) {
   uint8_t* p;
   uint8_t pkt_type;
 
+  if (p_buf->len == 0) {
+    osi_free_and_reset((void**)&p_buf);
+    android_errorWriteLog(0x534e4554, "79944113");
+    return nullptr;
+  }
+
   /* parse the message header */
   p = (uint8_t*)(p_buf + 1) + p_buf->offset;
   pkt_type = AVCT_PKT_TYPE(p);
author	Pavlin Radoslavov <pavlin@google.com>	2018-05-31 11:04:54 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-08-03 19:16:50 +0000
commit	c9487370cc1883f93691c92acbb984c758d9605d (patch)
tree	505c4ec56606b63a63fe0cf818c5cefe8274b79b
parent	dd77b7decc1f02532e1f7cec6d6dde99b29c99ff (diff)
download	bt-c9487370cc1883f93691c92acbb984c758d9605d.tar.gz