Add bound check for rfc_parse_data

Bug: 78288018
Test: manual
Change-Id: I44349cd22c141483d01bce0f5a2131b727d0feb0

2 files changed, 11 insertions, 8 deletions

diff --git a/system/stack/include/rfcdefs.h b/system/stack/include/rfcdefs.h
index 5118ccd06e..ab3ceb60cf 100644
--- a/system/stack/include/rfcdefs.h
+++ b/system/stack/include/rfcdefs.h
@@ -89,13 +89,6 @@
     (pf) = (*(p_data)++ & RFCOMM_PF_MASK) >> RFCOMM_PF_OFFSET; \
   }
 
-#define RFCOMM_PARSE_LEN_FIELD(ea, length, p_data)                \
-  {                                                               \
-    (ea) = (*(p_data)&RFCOMM_EA);                                 \
-    (length) = (*(p_data)++ >> RFCOMM_SHIFT_LENGTH1);             \
-    if (!(ea)) (length) += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2); \
-  }
-
 #define RFCOMM_FRAME_IS_CMD(initiator, cr) \
   (((initiator) && !(cr)) || (!(initiator) && (cr)))
 
diff --git a/system/stack/rfcomm/rfc_ts_frames.cc b/system/stack/rfcomm/rfc_ts_frames.cc
index aa4138fa58..b959827084 100644
--- a/system/stack/rfcomm/rfc_ts_frames.cc
+++ b/system/stack/rfcomm/rfc_ts_frames.cc
@@ -26,6 +26,7 @@
 #include "bt_common.h"
 #include "bt_target.h"
 #include "l2c_api.h"
+#include "log/log.h"
 #include "port_api.h"
 #include "port_int.h"
 #include "rfc_int.h"
@@ -516,7 +517,16 @@ uint8_t rfc_parse_data(tRFC_MCB* p_mcb, MX_FRAME* p_frame, BT_HDR* p_buf) {
     return (RFC_EVENT_BAD_FRAME);
   }
   RFCOMM_PARSE_TYPE_FIELD(p_frame->type, p_frame->pf, p_data);
-  RFCOMM_PARSE_LEN_FIELD(eal, len, p_data);
+
+  eal = *(p_data)&RFCOMM_EA;
+  len = *(p_data)++ >> RFCOMM_SHIFT_LENGTH1;
+  if (eal == 0 && p_buf->len < RFCOMM_CTRL_FRAME_LEN) {
+    len += (*(p_data)++ << RFCOMM_SHIFT_LENGTH2);
+  } else if (eal == 0) {
+    RFCOMM_TRACE_ERROR("Bad Length when EAL = 0: %d", p_buf->len);
+    android_errorWriteLog(0x534e4554, "78288018");
+    return RFC_EVENT_BAD_FRAME;
+  }
 
   p_buf->len -= (3 + !ead + !eal + 1); /* Additional 1 for FCS */
   p_buf->offset += (3 + !ead + !eal);