Merge "DO NOT MERGE Check remaining frame length in rfc_process_mx_message" into nyc-dev
diff --git a/stack/rfcomm/rfc_ts_frames.c b/stack/rfcomm/rfc_ts_frames.c
index 5e5f2e1..503e76d 100644
--- a/stack/rfcomm/rfc_ts_frames.c
+++ b/stack/rfcomm/rfc_ts_frames.c
@@ -679,6 +679,14 @@
UINT8 ea, cr, mx_len;
BOOLEAN is_command;
+ if (length < 2) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when reading EA, C/R."
+ " len:%d < 2", __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
+
p_rx_frame->ea = *p_data & RFCOMM_EA;
p_rx_frame->cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->type = *p_data++ & ~(RFCOMM_CR_MASK | RFCOMM_EA_MASK);
@@ -701,6 +709,13 @@
if (!ea)
{
+ if (length < 1) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX Frame when EA = 0.len:%d < 1",
+ __func__, length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
mx_len += *p_data++ << RFCOMM_SHIFT_LENGTH2;
length --;
}
@@ -777,7 +792,14 @@
return;
case RFCOMM_MX_MSC:
-
+ if (length != RFCOMM_MX_MSC_LEN_WITH_BREAK &&
+ length != RFCOMM_MX_MSC_LEN_NO_BREAK) {
+ RFCOMM_TRACE_ERROR("%s: Illegal MX MSC Frame len:%d", __func__,
+ length);
+ android_errorWriteLog(0x534e4554, "111937065");
+ osi_free(p_buf);
+ return;
+ }
ea = *p_data & RFCOMM_EA;
cr = (*p_data & RFCOMM_CR_MASK) >> RFCOMM_SHIFT_CR;
p_rx_frame->dlci = *p_data++ >> RFCOMM_SHIFT_DLCI;