Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 09ae4e14 authored by Brian Delwiche's avatar Brian Delwiche Committed by Android Build Coastguard Worker
Browse files

Fix OOB read in bta_av_setconfig_rej 

The bta_av_config_ind function in bta_av_aact.cc makes a call in some
user journeys to bta_av_setconfig_rej, constructing its p_data argument
(a union datatype) as a tBTA_AV_CI_SETCONFIG.  This is a valid member of
the union, but bta_av_setconfig_rej makes the assumption that the
variable being passed has been set up as a tBTA_AV_STR_MSG, which is not
true in this case.  This causes OOB access.

Draw the required data instead from the stream control block, which
should not be subject to this confusion.

Bug: 260230151
Test: m libbluetooth
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b1d0907e7038254c722e14c5681fa3542dccf9db)
Merged-In: Id6cdb2b5a5e0b25d0926a83d09b68c483bd0df98
Change-Id: Id6cdb2b5a5e0b25d0926a83d09b68c483bd0df98
parent 022ac90c
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment