Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0450562b authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btu_ble_ll_conn_param_upd_evt

Bug: 260230274
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: Id733a472236c005e30ff5c2b56b51d6e10fc9061
Change-Id: Id733a472236c005e30ff5c2b56b51d6e10fc9061
parent 362a9148
Loading
Loading
Loading
Loading
+6 −1
Original line number Diff line number Diff line
@@ -343,7 +343,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id,
          btm_ble_process_adv_pkt(ble_evt_len, p);
          break;
        case HCI_BLE_LL_CONN_PARAM_UPD_EVT:
          btu_ble_ll_conn_param_upd_evt(p, hci_evt_len);
          btu_ble_ll_conn_param_upd_evt(p, ble_evt_len);
          break;
        case HCI_BLE_READ_REMOTE_FEAT_CMPL_EVT:
          btm_ble_read_remote_features_complete(p);
@@ -1649,6 +1649,11 @@ static void btu_ble_ll_conn_param_upd_evt(uint8_t* p, uint16_t evt_len) {
  uint16_t latency;
  uint16_t timeout;

  if (evt_len < 9) {
     LOG_ERROR("Bogus event packet, too short");
     return;
  }

  STREAM_TO_UINT8(status, p);
  STREAM_TO_UINT16(handle, p);
  STREAM_TO_UINT16(interval, p);