Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ba94f68 authored by Marie Janssen's avatar Marie Janssen
Browse files

DO NOT MERGE Check size of pin before replying 

If a malicious client set a pin that was too long it would overflow
the pin code memory.

Bug: 27411268
Change-Id: I9197ac6fdaa92a4799dacb6364e04671a39450cc
parent 16fbb211

system/btif/src/btif_dm.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -2436,7 +2436,7 @@ bt_status_t btif_dm_pin_reply( const bt_bdaddr_t *bd_addr, uint8_t accept, 
                               uint8_t pin_len, bt_pin_code_t *pin_code)

                               uint8_t pin_len, bt_pin_code_t *pin_code)

{

{

    BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept);

    BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept);

    if (pin_code == NULL)

    if (pin_code == NULL || pin_len > PIN_CODE_LEN)

        return BT_STATUS_FAIL;

        return BT_STATUS_FAIL;

#if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))

#if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))