diff options
Diffstat (limited to 'bta/pan/bta_pan_act.c')
| -rw-r--r-- | bta/pan/bta_pan_act.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c index 199547817..f80dca1f8 100644 --- a/bta/pan/bta_pan_act.c +++ b/bta/pan/bta_pan_act.c @@ -26,6 +26,8 @@ #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE) +#include <cutils/log.h> + #include "bta_api.h" #include "bta_sys.h" #include "bt_common.h" @@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst, if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) { /* offset smaller than data structure in front of actual data */ + if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len > + PAN_BUF_SIZE) { + android_errorWriteLog(0x534e4554, "63146237"); + APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__, + p_buf->len); + osi_free(p_buf); + return; + } p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE); memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS), (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len); |