Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0494f1ab authored by Hui Peng's avatar Hui Peng Committed by Android (Google) Code Review
Browse files

Merge "Fix an OOB Write bug in gatt_check_write_long_terminate" into tm-dev

parents 638e4875 d4e34d86

system/stack/gatt/gatt_cl.cc

+3 −2
Original line number Diff line number Diff line
@@ -591,7 +591,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, 
  VLOG(1) << StringPrintf("value resp op_code = %s len = %d",

                          gatt_dbg_op_name(op_code), len);



  if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {

  if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||

      len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {

    LOG(ERROR) << "illegal prepare write response length, discard";

    gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);

    return;
@@ -600,7 +601,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, 
  STREAM_TO_UINT16(value.handle, p);

  STREAM_TO_UINT16(value.offset, p);



  value.len = len - 4;

  value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;



  memcpy(value.value, p, value.len);