Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21563c5a authored by Yamei Du's avatar Yamei Du Committed by Hansong Zhang
Browse files

Fix out-of-bounds reading in btm_ble_vendor_capability_vsc_cmpl_cback 

8 bits parameters get 16 bits from buffer in btm_ble_vendor_
capability_vsc_cmpl_cback, which would cause out-of-bounds reading.
Correct STREAM_TO_UINT16 to STREAM_TO_UINT8

Test: manual
Bug: 112167084
Change-Id: Id2b71a8f74eee5d93f287d4705aadab449c55fce
parent 315dcd4f

system/stack/btm/btm_ble_gap.cc

+2 −2
Original line number Diff line number Diff line
@@ -513,8 +513,8 @@ static void btm_ble_vendor_capability_vsc_cmpl_cback( 
  if (btm_cb.cmn_ble_vsc_cb.version_supported >=

      BTM_VSC_CHIP_CAPABILITY_M_VERSION) {

    STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.total_trackable_advertisers, p);

    STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.extended_scan_support, p);

    STREAM_TO_UINT16(btm_cb.cmn_ble_vsc_cb.debug_logging_supported, p);

    STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.extended_scan_support, p);

    STREAM_TO_UINT8(btm_cb.cmn_ble_vsc_cb.debug_logging_supported, p);

  }

  btm_cb.cmn_ble_vsc_cb.values_read = true;