Merge cherrypicks of [5532243, 5532244, 5532245, 5532246, 5532247, 5532826, 5530552, 5532902, 5530553, 5531520, 5532903, 5530554, 5529581, 5529582, 5531521, 5532979, 5532999, 5532248, 5531522, 5531523, 5531524, 5531525, 5531526, 5529583, 5529584, 5529585, 5529586, 5531351, 5529632, 5530506, 5530507, 5532980, 5533000] into pi-qpr1-releaseandroid-9.0.0_r30pie-qpr1-release

Change-Id: Iec1d9c99fe3d220ff9dfed33550a1b1b597f8ee8

1 files changed, 14 insertions, 3 deletions

diff --git a/stack/mcap/mca_cact.cc b/stack/mcap/mca_cact.cc
index 98a368852..45159ca5c 100644
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -449,12 +449,23 @@ void mca_ccb_hdl_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
   tMCA_RESULT result = MCA_BAD_HANDLE;
   tMCA_TC_TBL* p_tbl;
 
-  if (p_ccb->p_tx_req) {
+  if (p_pkt->len < sizeof(evt_data.hdr.op_code) +
+                       sizeof(evt_data.rsp.rsp_code) +
+                       sizeof(evt_data.hdr.mdl_id)) {
+    android_errorWriteLog(0x534e4554, "116319076");
+    MCA_TRACE_ERROR("%s: Response packet is too short", __func__);
+  } else if (p_ccb->p_tx_req) {
     /* verify that the received response matches the sent request */
     p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
     evt_data.hdr.op_code = *p++;
-    if ((evt_data.hdr.op_code == 0) ||
-        ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {
+    if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) &&
+        (p_pkt->len <
+         sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) +
+             sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg))) {
+      android_errorWriteLog(0x534e4554, "116319076");
+      MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__);
+    } else if ((evt_data.hdr.op_code == 0) ||
+               ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {
       evt_data.rsp.rsp_code = *p++;
       mca_stop_timer(p_ccb);
       BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);