Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9c12298c authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB access bug in btm_vendor_specific_evt 

This CL also fix one of vendor specific event callbacks:
BleAdvertiserVscHciInterfaceImpl::VendorSpecificEventCback.

Other issues in the callbacks of this function are:
- b/261857395, fix in I1ba4d1f1e62b1d77ac635cfb6b16cf175bfbf254.
- b/264921486, fix in Ifed6a81c2a980394efbd5666305d10227d5ec186,

Bug: 255304665
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ic9c43064db88a36aecb2a88f024db85f6cfc05f1
parent 5f8babc9

system/stack/btm/btm_devctl.cc

+15 −12
Original line number Diff line number Diff line
@@ -559,10 +559,12 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) { 
  const uint8_t* bqr_ptr = p;

  uint8_t event_code;

  uint8_t len;



  if (evt_len >= 2) {

    STREAM_TO_UINT8(event_code, bqr_ptr);

    STREAM_TO_UINT8(len, bqr_ptr);

    // Check if there's at least a subevent code

  if (len > 1 && evt_len > 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {

    if (len > 1 && evt_len >= 2 + 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {

      uint8_t sub_event_code;

      STREAM_TO_UINT8(sub_event_code, bqr_ptr);

      if (sub_event_code == HCI_VSE_SUBCODE_BQR_SUB_EVT) {
@@ -594,6 +596,7 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) { 
        }

      }

    }

  }



  for (i = 0; i < BTM_MAX_VSE_CALLBACKS; i++) {

    if (btm_cb.devcb.p_vend_spec_cb[i])