Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 44c68778 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Fix an OOB write bug in attp_build_read_by_type_value_cmd" into tm-dev... 

Merge "Fix an OOB write bug in attp_build_read_by_type_value_cmd" into tm-dev am: 4d9979fc am: defbd7bc am: 9a945b15 am: 21252e65

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/25503067



Change-Id: I18240dbe621d6f95a5151d03dcfae3be1bcd06f1
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents e1f2f288 21252e65

system/stack/gatt/att_protocol.cc

+7 −1
Original line number Original line Diff line number Diff line
@@ -165,7 +165,13 @@ static BT_HDR* attp_build_read_by_type_value_cmd( 
    uint16_t payload_size, tGATT_FIND_TYPE_VALUE* p_value_type) {

    uint16_t payload_size, tGATT_FIND_TYPE_VALUE* p_value_type) {

  uint8_t* p;

  uint8_t* p;

  uint16_t len = p_value_type->value_len;

  uint16_t len = p_value_type->value_len;

  BT_HDR* p_buf =

  BT_HDR* p_buf = nullptr;



  if (payload_size < 5) {

    return nullptr;

  }



  p_buf =

      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);

      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);





  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;

  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;