From e5d3eb51be19c28674734bccd8355578fcb0dd93 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 Aug 2022 09:41:24 +0800
Subject: Add length check when copy AVDTP packet

Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
(cherry picked from commit 4e6981539d9f7427f56003b1ab5a7ea3ef6ea682)
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
---
 stack/avdt/avdt_msg.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index 33fbfa744..406f7f7ba 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -1251,6 +1251,10 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
      * would have allocated smaller buffer.
      */
     p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+    if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+      android_errorWriteLog(0x534e4554, "232023771");
+      return NULL;
+    }
     memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
 
     /* Free original buffer */
-- 
cgit v1.2.3