Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / system / bt / cb6a4cf7b37d2e66bf087279aa610059beaac1b9^! / .
commitcb6a4cf7b37d2e66bf087279aa610059beaac1b9[log] [tgz]
authorPavlin Radoslavov <pavlin@google.com>Wed Jul 12 17:33:42 2017 -0700
committerFranz-Xaver Geiger <franz@fairphone.com>Thu Aug 24 12:10:56 2017 +0000
tree43c23387ae0b0701cd7d5987a77a6d9a91e1a03f
parent2b463c2510301d20115ccff697004899a5ab6173 [diff]
Add a missing check for PAN buffer size before copying data

FPIIM-1501

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)

diff --git a/bta/pan/bta_pan_act.c b/bta/pan/bta_pan_act.c
index c81fe71..d8ac8be 100644
--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c

@@ -27,6 +27,9 @@
 #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
 
 #include "btu.h"
+
+#include <cutils/log.h>
+
 #include "bta_api.h"
 #include "bta_sys.h"
 #include "gki.h"
@@ -229,6 +232,15 @@
 
     if ( sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset )
     {
+        if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
+            GKI_get_pool_bufsize(PAN_POOL_ID)) {
+            android_errorWriteLog(0x534e4554, "63146237");
+            APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
+                             p_buf->len);
+            GKI_freebuf(p_buf);
+            return;
+        }
+
         /* offset smaller than data structure in front of actual data */
         p_new_buf = (BT_HDR *)GKI_getpoolbuf( PAN_POOL_ID );
         if(!p_new_buf)