From 1a8a5ece61c63560da589d36ed6597de73a5bb1a Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 31 Jan 2023 18:55:38 +0000
Subject: [PATCH] Fix an OOB bug in on_remove_iso_data_path

Bug: 236688764
Test: manul
Ignore-AOSP-First: security
Tag: #security
Change-Id: I0ef4855e715be8fa9a69916e35d3a6c97498a9cc
---
 system/stack/btm/btm_iso_impl.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system/stack/btm/btm_iso_impl.h b/system/stack/btm/btm_iso_impl.h
index 4577abfbfd1..a53bdf54947 100644
--- a/system/stack/btm/btm_iso_impl.h
+++ b/system/stack/btm/btm_iso_impl.h
@@ -307,6 +307,10 @@ struct iso_impl {
     uint8_t status;
     uint16_t conn_handle;
 
+    if (len < 3) {
+      LOG(WARNING) << __func__ << "Malformatted packet received";
+      return;
+    }
     STREAM_TO_UINT8(status, stream);
     STREAM_TO_UINT16(conn_handle, stream);
 
-- 
GitLab