Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6c79df5f authored by Andre Eisenbach's avatar Andre Eisenbach Committed by Myles Watson
Browse files

Fix pointer arithmetic in BTA_DmBleCfgFilterCondition 

Using the pointer to the beginning of a union in a member of the union,
which will then be over-written, is a bad idea(TM).

Bug: 33910711
Test: manual
Change-Id: I0b979e493688bf8c02119a2ef6707d6c8e730dcb
parent c73e76b5

system/bta/dm/bta_dm_api.cc

+3 −0
Original line number Diff line number Diff line
@@ -1203,6 +1203,7 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action, 


  if (cond_type == BTA_DM_BLE_PF_SRVC_DATA_PATTERN ||

      cond_type == BTA_DM_BLE_PF_MANU_DATA) {

    p += sizeof(tBTA_DM_BLE_PF_MANU_COND);

    p_cond_param->manu_data.p_pattern = p;

    p_cond_param->manu_data.data_len = p_cond->manu_data.data_len;

    memcpy(p_cond_param->manu_data.p_pattern, p_cond->manu_data.p_pattern,
@@ -1219,12 +1220,14 @@ void BTA_DmBleCfgFilterCondition(tBTA_DM_BLE_SCAN_COND_OP action, 
      }

    }

  } else if (cond_type == BTA_DM_BLE_PF_LOCAL_NAME) {

    p += sizeof(tBTA_DM_BLE_PF_LOCAL_NAME_COND);

    p_cond_param->local_name.p_data = p;

    p_cond_param->local_name.data_len = p_cond->local_name.data_len;

    memcpy(p_cond_param->local_name.p_data, p_cond->local_name.p_data,

           p_cond->local_name.data_len);

  } else if (cond_type == BTM_BLE_PF_SRVC_UUID ||

             cond_type == BTM_BLE_PF_SRVC_SOL_UUID) {

    p += sizeof(tBTA_DM_BLE_PF_SRVC_PATTERN_COND);

    if (p_cond->srvc_uuid.p_target_addr != NULL) {

      p_cond_param->srvc_uuid.p_target_addr = (tBLE_BD_ADDR*)(p);

      p_cond_param->srvc_uuid.p_target_addr->type =