Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 52d9495b authored by Michael Bestas's avatar Michael Bestas
Browse files

Merge tag 'android-security-13.0.0_r14' into staging/lineage-20.0_merge-android-security-13.0.0_r14 

Android Security 13.0.0 Release 14 (11228180)

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZcEegAAKCRDorT+BmrEO
# eGAeAJ93p2eKOzFHdlUK7SOjOnvWAlf2fwCgiWX8yF8+scPfGPqGS+aJV6barb4=
# =KFY2
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Feb  5 19:44:32 2024 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2266 signatures in the past
#      2 years.  Encrypted 4 messages in the past 2 years.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78

# By Hui Peng (3) and Mehmet Murat Sevim (1)
# Via Android Build Coastguard Worker
* tag 'android-security-13.0.0_r14':
  Revert "Fix an OOB write bug in attp_build_value_cmd"
  Fix an OOB write bug in attp_build_value_cmd
  Fix an OOB write bug in attp_build_read_by_type_value_cmd
  Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd

Change-Id: I591610b121758e3da91d226d187d4373a8859798
parents 4ab29055 3ba8ea5e

system/btif/src/btif_gatt_util.cc

+4 −2
Original line number Diff line number Diff line
@@ -18,6 +18,8 @@ 


#define LOG_TAG "bt_btif_gatt"



#include <algorithm>



#include "btif_gatt_util.h"



#include <errno.h>
@@ -52,9 +54,9 @@ using bluetooth::Uuid; 
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {

  p_dest->attr_value.auth_req = p_src->attr_value.auth_req;

  p_dest->attr_value.handle = p_src->attr_value.handle;

  p_dest->attr_value.len = p_src->attr_value.len;

  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);

  p_dest->attr_value.offset = p_src->attr_value.offset;

  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);

  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);

}



/*******************************************************************************

system/stack/gatt/att_protocol.cc

+7 −1
Original line number Diff line number Diff line
@@ -164,7 +164,13 @@ static BT_HDR* attp_build_read_by_type_value_cmd( 
    uint16_t payload_size, tGATT_FIND_TYPE_VALUE* p_value_type) {

  uint8_t* p;

  uint16_t len = p_value_type->value_len;

  BT_HDR* p_buf =

  BT_HDR* p_buf = nullptr;



  if (payload_size < 5) {

    return nullptr;

  }



  p_buf =

      (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);



  p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;