Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Blame Permalink
  • Brian Delwiche's avatar
    d6cb1ec8
    Fix use after free in acl_arbiter · d6cb1ec8
    Brian Delwiche authored 
    In SendPacketToPeer of acl_arbiter.cc, a buffer length is logged in one
case after an intermediate call may free the buffer, leading to use
after free.

Log instead from the buffer's source, which has not been freed at this
point in the code.

Bug: 406785684
Flag: EXEMPT obvious logic fix
Test: m libbluetooth
Test: researcher POC
Tag: #security
Change-Id: Idd13399c24399d01bcd668a4b779ef1980273691
(cherry picked from commit 243d7484e59730c522640b616445b2747b3062e5)
    d6cb1ec8
    Fix use after free in acl_arbiter
    Brian Delwiche authored 
    In SendPacketToPeer of acl_arbiter.cc, a buffer length is logged in one
case after an intermediate call may free the buffer, leading to use
after free.

Log instead from the buffer's source, which has not been freed at this
point in the code.

Bug: 406785684
Flag: EXEMPT obvious logic fix
Test: m libbluetooth
Test: researcher POC
Tag: #security
Change-Id: Idd13399c24399d01bcd668a4b779ef1980273691
(cherry picked from commit 243d7484e59730c522640b616445b2747b3062e5)