Skip to content
Snippets Groups Projects
Commit 6b4acc4d authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Added max buffer length check 

Bug: 230867224
Test: Manual -- paired Bluetooth headset and played audio
Tags: #security
Ignore-AOSP-First: Security
Change-Id: I6f70db549b3fbc7f958ee70c679db438e9538472
parent 96f108e8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
system/stack/avct/avct_lcb_act.cc
+ 6
1
View file @ 6b4acc4d
......@@ -68,7 +68,12 @@ static BT_HDR* avct_lcb_msg_asmbl(tAVCT_LCB* p_lcb, BT_HDR* p_buf) {
pkt_type = AVCT_PKT_TYPE(p);
/* quick sanity check on length */
if (p_buf->len < avct_lcb_pkt_type_len[pkt_type]) {
if (p_buf->len < avct_lcb_pkt_type_len[pkt_type] ||
(sizeof(BT_HDR) + p_buf->offset + p_buf->len) > BT_DEFAULT_BUFFER_SIZE) {
if ((sizeof(BT_HDR) + p_buf->offset + p_buf->len) >
BT_DEFAULT_BUFFER_SIZE) {
android_errorWriteWithInfoLog(0x534e4554, "230867224", -1, NULL, 0);
}
osi_free(p_buf);
AVCT_TRACE_WARNING("Bad length during reassembly");
p_ret = NULL;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment