Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6dc8c03f authored by Ajay Panicker's avatar Ajay Panicker Committed by android-build-merger
Browse files

Prevent integer overflows during GATT signing 

am: ae50b339

* commit 'ae50b339':
  Prevent integer overflows during GATT signing
parents 9657b13a ae50b339

system/stack/gatt/gatt_auth.c

+5 −0
Original line number Diff line number Diff line
@@ -103,6 +103,11 @@ void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf) 
    UINT8   *p, *p_orig = (UINT8 *)(p_buf + 1) + p_buf->offset;

    UINT32  counter;



    if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {

        GATT_TRACE_ERROR("%s: Data length %u less than expected %u",

                         __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);

        return;

    }

    cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;

    p =  p_orig + cmd_len - 4;

    STREAM_TO_UINT32(counter, p);