aboutsummaryrefslogtreecommitdiff
path: root/stack/avct/avct_bcb_act.cc
diff options
context:
space:
mode:
Diffstat (limited to 'stack/avct/avct_bcb_act.cc')
-rw-r--r--stack/avct/avct_bcb_act.cc15
1 files changed, 15 insertions, 0 deletions
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc
index bd99562ca..011a52db7 100644
--- a/stack/avct/avct_bcb_act.cc
+++ b/stack/avct/avct_bcb_act.cc
@@ -25,6 +25,7 @@
*
*****************************************************************************/
+#include <log/log.h>
#include <string.h>
#include "avct_api.h"
#include "avct_int.h"
@@ -68,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) {
uint8_t* p;
uint8_t pkt_type;
+ if (p_buf->len == 0) {
+ osi_free_and_reset((void**)&p_buf);
+ android_errorWriteLog(0x534e4554, "79944113");
+ return nullptr;
+ }
+
/* parse the message header */
p = (uint8_t*)(p_buf + 1) + p_buf->offset;
pkt_type = AVCT_PKT_TYPE(p);
@@ -520,6 +527,14 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) {
return;
}
+ if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) {
+ AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d",
+ p_data->p_buf->len, AVCT_HDR_LEN_SINGLE);
+ osi_free_and_reset((void**)&p_data->p_buf);
+ android_errorWriteLog(0x534e4554, "79944113");
+ return;
+ }
+
p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset;
/* parse header byte */