Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5ea9702f authored by weichinweng's avatar weichinweng Committed by Automerger Merge Worker
Browse files

Fix possible OOB when receive gatt read type response data am: 3f029b64 am:... 

Fix possible OOB when receive gatt read type response data am: 3f029b64 am: 1cce5d80 am: 0e489563

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/12258750

Change-Id: Iaf6cb810e9aced654b009d12b3c48136a2bb88a0
parents 56211f07 0e489563

system/stack/gatt/gatt_cl.cc

+12 −0
Original line number Diff line number Diff line
@@ -771,6 +771,12 @@ void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, 
    /* discover included service */

    else if (p_clcb->operation == GATTC_OPTYPE_DISCOVERY &&

             p_clcb->op_subtype == GATT_DISC_INC_SRVC) {

      if (value_len < 4) {

        android_errorWriteLog(0x534e4554, "158833854");

        LOG(ERROR) << __func__ << " Illegal Response length, must be at least 4.";

        gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);

        return;

      }

      STREAM_TO_UINT16(record_value.incl_service.s_handle, p);

      STREAM_TO_UINT16(record_value.incl_service.e_handle, p);
@@ -824,6 +830,12 @@ void gatt_process_read_by_type_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, 
      return;

    } else /* discover characterisitic */

    {

      if (value_len < 3) {

        android_errorWriteLog(0x534e4554, "158778659");

        LOG(ERROR) << __func__ << " Illegal Response length, must be at least 3.";

        gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL);

        return;

      }

      STREAM_TO_UINT8(record_value.dclr_value.char_prop, p);

      STREAM_TO_UINT16(record_value.dclr_value.val_handle, p);

      if (!GATT_HANDLE_IS_VALID(record_value.dclr_value.val_handle)) {