Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33fbb55f authored by Himanshu Rawat's avatar Himanshu Rawat
Browse files

Out of bound access if the handle or transport type is wrong 

Bug: 291521892
Test: mma
Test: m com.android.btservices
Change-Id: Ica18ee891c97919f9a421154dff9aaf7ba3d8898
parent 7960b7fe

system/bta/hh/bta_hh_utils.cc

+12 −5
Original line number Diff line number Diff line
@@ -117,13 +117,20 @@ tBTA_HH_DEV_CB* bta_hh_get_cb(const RawAddress& bda) { 
void bta_hh_clean_up_kdev(tBTA_HH_DEV_CB* p_cb) {

  uint8_t index;



  if (p_cb->hid_handle != BTA_HH_INVALID_HANDLE) {

    if (p_cb->is_le_device)

      bta_hh_cb.le_cb_index[BTA_HH_GET_LE_CB_IDX(p_cb->hid_handle)] =

          BTA_HH_IDX_INVALID;

    else

  if (p_cb->is_le_device) {

    uint8_t le_hid_handle = BTA_HH_GET_LE_CB_IDX(p_cb->hid_handle);

    if (le_hid_handle >= BTA_HH_LE_MAX_KNOWN) {

      LOG_WARN("Invalid LE hid_handle %d", p_cb->hid_handle);

    } else {

      bta_hh_cb.le_cb_index[le_hid_handle] = BTA_HH_IDX_INVALID;

    }

  } else {

    if (p_cb->hid_handle >= BTA_HH_MAX_KNOWN) {

      LOG_WARN("Invalid hid_handle %d", p_cb->hid_handle);

    } else {

      bta_hh_cb.cb_index[p_cb->hid_handle] = BTA_HH_IDX_INVALID;

    }

  }



  /* reset device control block */

  index = p_cb->index; /* Preserve index for this control block */