Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5bdefb74 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btu_ble_rc_param_req_evt 

Bug: 256165737
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I0a626bbc1a72c8bc9740d139b54726b188b6f1df
Change-Id: I0a626bbc1a72c8bc9740d139b54726b188b6f1df
parent 45e8d2dc

system/stack/btu/btu_hcif.cc

+8 −3
Original line number Diff line number Diff line
@@ -96,7 +96,7 @@ static void btu_ble_ll_conn_param_upd_evt(uint8_t* p, uint16_t evt_len); 
static void btu_ble_proc_ltk_req(uint8_t* p);

static void btu_hcif_encryption_key_refresh_cmpl_evt(uint8_t* p);

static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len);

static void btu_ble_rc_param_req_evt(uint8_t* p);

static void btu_ble_rc_param_req_evt(uint8_t* p, uint8_t len);



/**

 * Log HCI event metrics that are not handled in special functions
@@ -352,7 +352,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, 
          btu_ble_proc_ltk_req(p);

          break;

        case HCI_BLE_RC_PARAM_REQ_EVT:

          btu_ble_rc_param_req_evt(p);

          btu_ble_rc_param_req_evt(p, ble_evt_len);

          break;

        case HCI_BLE_DATA_LENGTH_CHANGE_EVT:

          btu_ble_data_length_change_evt(p, hci_evt_len);
@@ -1691,10 +1691,15 @@ static void btu_ble_data_length_change_evt(uint8_t* p, uint16_t evt_len) { 
/**********************************************

 * End of BLE Events Handler

 **********************************************/

static void btu_ble_rc_param_req_evt(uint8_t* p) {

static void btu_ble_rc_param_req_evt(uint8_t* p, uint8_t len) {

  uint16_t handle;

  uint16_t int_min, int_max, latency, timeout;



  if (len < 10) {

    LOG(ERROR) << __func__ << "bogus event packet, too short";

    return;

  }



  STREAM_TO_UINT16(handle, p);

  STREAM_TO_UINT16(int_min, p);

  STREAM_TO_UINT16(int_max, p);