From f7679c19e64e23697df81d14d085c94b5af01eed Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Fri, 9 Dec 2022 21:56:46 +0000
Subject: [PATCH] Fix an OOB bug in on_iso_link_quality_read

Bug: 260568750
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I58b259541a507d65271c4e8b61fcd878a3f90ec0
Change-Id: I58b259541a507d65271c4e8b61fcd878a3f90ec0
---
 system/stack/btm/btm_iso_impl.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system/stack/btm/btm_iso_impl.h b/system/stack/btm/btm_iso_impl.h
index 661b5ca4e1c..4577abfbfd1 100644
--- a/system/stack/btm/btm_iso_impl.h
+++ b/system/stack/btm/btm_iso_impl.h
@@ -353,6 +353,13 @@ struct iso_impl {
     uint32_t rxUnreceivedPackets;
     uint32_t duplicatePackets;
 
+    // 1 + 2 + 4 * 7
+#define ISO_LINK_QUALITY_SIZE 31
+    if (len < ISO_LINK_QUALITY_SIZE) {
+      LOG(ERROR) << "Malformated link quality format, len=" << len;
+      return;
+    }
+
     STREAM_TO_UINT8(status, stream);
     if (status != HCI_SUCCESS) {
       LOG(ERROR) << "Failed to Read ISO Link Quality, status: "
-- 
GitLab