Add packet length check for received AVCTP packets

Bug: 79944113
Test: Manual: Custom test program and extra logging
Change-Id: Icde465fed723bf876ce3885d11099fddcb92de81
Merged-In: Icde465fed723bf876ce3885d11099fddcb92de81
(cherry picked from commit 2a934acf498a6b715cc7c634123aa403a70fe9e6)
(cherry picked from commit d6fb21d8d8ae20addfc51246d840151fc86d8572)

1 files changed, 9 insertions, 0 deletions

diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index bd99562ca..70d8ce743 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -25,6 +25,7 @@
 *
  *****************************************************************************/
 
+#include <log/log.h>
 #include <string.h>
 #include "avct_api.h"
 #include "avct_int.h"
@@ -520,6 +521,14 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) {
     return;
   }
 
+  if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
+    AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
+                       p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
+    osi_free_and_reset((void**)&p_data->p_buf);
+    android_errorWriteLog(0x534e4554, "79944113");
+    return;
+  }
+
   p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
 
   /* parse header byte */