BNEP: Check received frame type Bug: 68818034 Test: build Issue: FPIIM-2596 Change-Id: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019 Merged-In: I2b9f32b92d72f226361e6a80f20f9c7ee77f6019 (cherry picked from commit 61e561d8b74600e67ee97d30cac04728adab1348)

commit: 77285ca1d3a1b15c2a535d42e280d962bf1d4c5b [log] [tgz]
author: Myles Watson <mylesgw@google.com> Thu Jan 11 14:20:26 2018 -0800
committer: Andrew Appleby <andrewa@fairphone.com> Mon Feb 12 11:03:19 2018 +0100
tree: 47d349a4891f635f79d399ee1f90a8a7aeda91cf
parent: 69c6850a93299224692817c118320cc56b775bf9 [diff]
diff --git a/stack/bnep/bnep_main.c b/stack/bnep/bnep_main.c
index 4ce6725..c3fa051 100644
--- a/stack/bnep/bnep_main.c
+++ b/stack/bnep/bnep_main.c

@@ -486,6 +486,12 @@
     type = *p++;
     extension_present = type >> 7;
     type &= 0x7f;
+    if (type >= sizeof(bnep_frame_hdr_sizes) / sizeof(bnep_frame_hdr_sizes[0])) {
+        BNEP_TRACE_EVENT("BNEP - rcvd frame, bad type: 0x%02x", type);
+        android_errorWriteLog(0x534e4554, "68818034");
+        GKI_freebuf (p_buf);
+        return;
+    }
     if ((rem_len <= bnep_frame_hdr_sizes[type]) || (rem_len > BNEP_MTU_SIZE))
     {
         BNEP_TRACE_EVENT ("BNEP - rcvd frame, bad len: %d  type: 0x%02x", p_buf->len, type);
commit	77285ca1d3a1b15c2a535d42e280d962bf1d4c5b	[log] [tgz]
author	Myles Watson <mylesgw@google.com>	Thu Jan 11 14:20:26 2018 -0800
committer	Andrew Appleby <andrewa@fairphone.com>	Mon Feb 12 11:03:19 2018 +0100
tree	47d349a4891f635f79d399ee1f90a8a7aeda91cf
parent	69c6850a93299224692817c118320cc56b775bf9 [diff]