Prevent buffer overflow caused by decrementing past zero Bug: 33555809 Test: Sanity test with Bluetooth Change-Id: I4c82d3c162ffdc9436f9cd8985061655a055774b

commit: 882db61b7309a06c7e4983f967d95f1fea62f5c3 [log] [tgz]
author: Ajay Panicker <apanicke@google.com> Tue Dec 13 10:51:12 2016 -0800
committer: Ajay Panicker <apanicke@google.com> Thu Apr 27 22:15:27 2017 +0000
tree: a7c6a35a793f120fd64f34a31beb4281c9c32ada
parent: 7c8bab231328956d3b7569280cb162be4e345422 [diff]
diff --git a/stack/bnep/bnep_utils.cc b/stack/bnep/bnep_utils.cc
index 06a5115..15559e9 100644
--- a/stack/bnep/bnep_utils.cc
+++ b/stack/bnep/bnep_utils.cc

@@ -716,6 +716,7 @@
   uint8_t control_type;
   bool bad_pkt = false;
   uint16_t len, ext_len = 0;
+  uint16_t rem_len_prev = *rem_len;
 
   if (is_ext) {
     ext_len = *p++;
@@ -802,7 +803,7 @@
       break;
   }
 
-  if (bad_pkt) {
+  if (bad_pkt || *rem_len > rem_len_prev) {
     BNEP_TRACE_ERROR("BNEP - bad ctl pkt length: %d", *rem_len);
     *rem_len = 0;
     return NULL;
commit	882db61b7309a06c7e4983f967d95f1fea62f5c3	[log] [tgz]
author	Ajay Panicker <apanicke@google.com>	Tue Dec 13 10:51:12 2016 -0800
committer	Ajay Panicker <apanicke@google.com>	Thu Apr 27 22:15:27 2017 +0000
tree	a7c6a35a793f120fd64f34a31beb4281c9c32ada
parent	7c8bab231328956d3b7569280cb162be4e345422 [diff]