Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 012390be authored by Henri Chataing's avatar Henri Chataing
Browse files

hearing_aid: Potential OOB in reading the PSM handle 

- invalid length check for len > 2 instead of < 2
- value is read with arch endianness instead of
  explicit little endian order

Bug: 331817295
Test: m com.android.btservices
Flag: EXEMPT, minor bugfix
Change-Id: Icd4ca8b99fbf288cfce19f4685476096011ddb2b
parent af302719

system/bta/hearing_aid/hearing_aid.cc

+4 −2
Original line number Diff line number Diff line
@@ -1041,12 +1041,14 @@ class HearingAidImpl : public HearingAid { 
      return;

    }



    if (len > 2) {

    if (len < 2) {

      log::error("Bad PSM Lengh");

      return;

    }



    uint16_t psm = *((uint16_t*)value);

    uint16_t psm = 0;

    STREAM_TO_UINT16(psm, value);



    log::debug("read psm:0x{:x}", psm);



    if (hearingDevice->gap_handle == GAP_INVALID_HANDLE &&