From 521621d51591d3406038a6eb80e21902801cc5ce Mon Sep 17 00:00:00 2001
From: Myles Watson <mylesgw@google.com>
Date: Fri, 11 Aug 2017 16:47:28 -0700
Subject: [PATCH] Bluetooth: Check H4 HCI packet types

An invalid type byte can cause an access outside
the bounds of the array.

Bug: 64565737
Test: Bluetooth On/Off
Change-Id: Ie11dd62942f66b9fc60ebce2e4339c37d597fdf0
---
 bluetooth/1.0/default/h4_protocol.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bluetooth/1.0/default/h4_protocol.cc b/bluetooth/1.0/default/h4_protocol.cc
index 2008b00093..5a89557e39 100644
--- a/bluetooth/1.0/default/h4_protocol.cc
+++ b/bluetooth/1.0/default/h4_protocol.cc
@@ -81,6 +81,12 @@ void H4Protocol::OnDataReady(int fd) {
       }
     }
     hci_packet_type_ = static_cast<HciPacketType>(buffer[0]);
+    if (hci_packet_type_ != HCI_PACKET_TYPE_ACL_DATA &&
+        hci_packet_type_ != HCI_PACKET_TYPE_SCO_DATA &&
+        hci_packet_type_ != HCI_PACKET_TYPE_EVENT) {
+      LOG_ALWAYS_FATAL("%s: Unimplemented packet type %d", __func__,
+                       static_cast<int>(hci_packet_type_));
+    }
   } else {
     hci_packetizer_.OnDataReady(fd, hci_packet_type_);
   }