Fix OOB read in bta_av_setconfig_rej
The bta_av_config_ind function in bta_av_aact.cc makes a call in some user journeys to bta_av_setconfig_rej, constructing its p_data argument (a union datatype) as a tBTA_AV_CI_SETCONFIG. This is a valid member of the union, but bta_av_setconfig_rej makes the assumption that the variable being passed has been set up as a tBTA_AV_STR_MSG, which is not true in this case. This causes OOB access. Draw the required data instead from the stream control block, which should not be subject to this confusion. Bug: 260230151 Test: m libbluetooth Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b1d0907e7038254c722e14c5681fa3542dccf9db) Merged-In: Id6cdb2b5a5e0b25d0926a83d09b68c483bd0df98 Change-Id: Id6cdb2b5a5e0b25d0926a83d09b68c483bd0df98
Loading
Please register or sign in to comment