Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a3c7e637 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB write in BTA_GATTS_HandleValueIndication

Bug: 245915315
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4b08db42bed52bb250098a7744b689a5d0c105b2
Change-Id: I4b08db42bed52bb250098a7744b689a5d0c105b2
parent 45e8d2dc
Loading
Loading
Loading
Loading
+6 −0
Original line number Diff line number Diff line
@@ -242,6 +242,12 @@ void BTA_GATTS_StopService(uint16_t service_id) {
void BTA_GATTS_HandleValueIndication(uint16_t conn_id, uint16_t attr_id,
                                     std::vector<uint8_t> value,
                                     bool need_confirm) {

  if (value.size() > sizeof(tBTA_GATTS_API_INDICATION::value)) {
    LOG(ERROR) << __func__ << "data to indicate is too long";
    return;
  }

  tBTA_GATTS_API_INDICATION* p_buf =
      (tBTA_GATTS_API_INDICATION*)osi_calloc(sizeof(tBTA_GATTS_API_INDICATION));