The current implementation uses `pad_len = *(p_start + len);`

to read the last byte from the packet, resulting one-byte
out-of-bound read.

Also avdt_scb_hdl_pkt_no_frag passes zero-lenth packets to
upper-layer, this patch adds code to detect such packets
and err out if detected

The regression test is I9c87e30ed58e7ad6a34ab7c96b0a8fb06324ad54

Bug: 258057241
Test: atest net_test_stack_avdtp
Ignore-AOSP-First: security
Merged-In: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
Change-Id: If0c7b25f2e6cb4531bbb6254e176e8ad1b5c5fb4
(cherry picked from commit 89255db501097bbec90e4fcfc48d634deb239cd6)

CRs-Fixed: 3446923

1 files changed, 3 insertions, 3 deletions

diff --git a/stack/avdt/avdt_scb_act.cc b/stack/avdt/avdt_scb_act.cc
index fc354068a..9606f5383 100644
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -282,7 +282,7 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
     p += ex_len * 4;
   }
 
-  if ((p - p_start) > len) {
+  if ((p - p_start) >= len) {
     android_errorWriteLog(0x534e4554, "142546355");
     osi_free_and_reset((void**)&p_data->p_pkt);
     return;
@@ -292,11 +292,11 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
   /* adjust length for any padding at end of packet */
   if (o_p) {
     /* padding length in last byte of packet */
-    pad_len = *(p_start + len);
+    pad_len = *(p_start + len - 1);
   }
 
   /* do sanity check */
-  if (pad_len > (len - offset)) {
+  if (pad_len >= (len - offset)) {
     AVDT_TRACE_WARNING("Got bad media packet");
     osi_free_and_reset((void**)&p_data->p_pkt);
   }