diff options
Diffstat (limited to 'stack/avct/avct_bcb_act.cc')
-rw-r--r-- | stack/avct/avct_bcb_act.cc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/stack/avct/avct_bcb_act.cc b/stack/avct/avct_bcb_act.cc index bd99562ca..011a52db7 100644 --- a/stack/avct/avct_bcb_act.cc +++ b/stack/avct/avct_bcb_act.cc @@ -25,6 +25,7 @@ * *****************************************************************************/ +#include <log/log.h> #include <string.h> #include "avct_api.h" #include "avct_int.h" @@ -68,6 +69,12 @@ static BT_HDR* avct_bcb_msg_asmbl(UNUSED_ATTR tAVCT_BCB* p_bcb, BT_HDR* p_buf) { uint8_t* p; uint8_t pkt_type; + if (p_buf->len == 0) { + osi_free_and_reset((void**)&p_buf); + android_errorWriteLog(0x534e4554, "79944113"); + return nullptr; + } + /* parse the message header */ p = (uint8_t*)(p_buf + 1) + p_buf->offset; pkt_type = AVCT_PKT_TYPE(p); @@ -520,6 +527,14 @@ void avct_bcb_msg_ind(tAVCT_BCB* p_bcb, tAVCT_LCB_EVT* p_data) { return; } + if (p_data->p_buf->len < AVCT_HDR_LEN_SINGLE) { + AVCT_TRACE_WARNING("Invalid AVCTP packet length %d: must be at least %d", + p_data->p_buf->len, AVCT_HDR_LEN_SINGLE); + osi_free_and_reset((void**)&p_data->p_buf); + android_errorWriteLog(0x534e4554, "79944113"); + return; + } + p = (uint8_t*)(p_data->p_buf + 1) + p_data->p_buf->offset; /* parse header byte */ |