Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 67241b75 authored by Hui Peng's avatar Hui Peng Committed by Android Build Coastguard Worker
Browse files

Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd 

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
parent c3717d75
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment