Prevent buffer overflow caused by decrementing past zero
Bug: 33555809
Test: Sanity test with Bluetooth
Change-Id: I4c82d3c162ffdc9436f9cd8985061655a055774b
diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc
index 06a5115..15559e9 100644
--- a/stack/bnep/bnep_utils.cc
+++ b/stack/bnep/bnep_utils.cc
@@ -716,6 +716,7 @@
uint8_t control_type;
bool bad_pkt = false;
uint16_t len, ext_len = 0;
+ uint16_t rem_len_prev = *rem_len;
if (is_ext) {
ext_len = *p++;
@@ -802,7 +803,7 @@
break;
}
- if (bad_pkt) {
+ if (bad_pkt || *rem_len > rem_len_prev) {
BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len);
*rem_len = 0;
return NULL;