Fix OOB read in process_l2cap_cmd

Test: manual Bug: 79488381 Change-Id: I723866ed40d3647fed99875f659bb95df96a6969 (cherry picked from commit 5bb66307b555b17d1764e116316ce50c687c9653)
author: Hansong Zhang <hsz@google.com> 2018-07-12 10:44:29 -0700
committer: android-build-team Robot <android-build-team-robot@google.com> 2018-07-27 18:46:14 +0000
commit: d5b44f6522c3294d6f5fd71bc6670f625f716460 (patch)
tree: fa2255512588b51746703d6e058fbdf66b7b3424
parent: bdbabb2ca4ebb4dc5971d3d42cb12f8048e23a23 (diff)
download: bt-d5b44f6522c3294d6f5fd71bc6670f625f716460.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_main.cc b/stack/l2cap/l2c_main.cc
index 2574f88c5..a69c02942 100644
--- a/stack/l2cap/l2c_main.cc
+++ b/stack/l2cap/l2c_main.cc
@@ -511,6 +511,7 @@ static void process_l2cap_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) {
             default:
               /* sanity check option length */
               if ((cfg_len + L2CAP_CFG_OPTION_OVERHEAD) <= cmd_len) {
+                if (p + cfg_len > p_next_cmd) return;
                 p += cfg_len;
                 if ((cfg_code & 0x80) == 0) {
                   cfg_rej_len += cfg_len + L2CAP_CFG_OPTION_OVERHEAD;
author	Hansong Zhang <hsz@google.com>	2018-07-12 10:44:29 -0700
committer	android-build-team Robot <android-build-team-robot@google.com>	2018-07-27 18:46:14 +0000
commit	d5b44f6522c3294d6f5fd71bc6670f625f716460 (patch)
tree	fa2255512588b51746703d6e058fbdf66b7b3424
parent	bdbabb2ca4ebb4dc5971d3d42cb12f8048e23a23 (diff)
download	bt-d5b44f6522c3294d6f5fd71bc6670f625f716460.tar.gz