Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a9f60549 authored by Jeremy Wu's avatar Jeremy Wu
Browse files

Floss: fix MSBC temp packet decode buffer size 

In CL:2989709 there was a change to allow packet size of 24, but
CL:2899167 assumed the packet size is always greater than 60 (a SCO
packet size), and this causes heap buffer overflow.

Bug: 332349377
Tag: #floss
Flag: EXEMPT floss only changes
Test: m Bluetooth && atest --host net_test_stack_btm # with CL:3002551
Change-Id: Ic5923f6ca250d0db20df054ffbd6abd069fd94a3
parent 3505ccf1

system/stack/btm/btm_sco_hci.cc

+1 −2
Original line number Diff line number Diff line
@@ -485,8 +485,7 @@ struct tBTM_MSBC_INFO { 
    if (pkt_size == packet_size) return packet_size;

    packet_size = pkt_size;



    if (packet_buf) osi_free(packet_buf);

    packet_buf = (uint8_t*)osi_calloc(packet_size);

    if (!packet_buf) packet_buf = (uint8_t*)osi_calloc(BTM_MSBC_PKT_LEN);



    if (msbc_decode_buf) osi_free(msbc_decode_buf);

    msbc_decode_buf = (uint8_t*)osi_calloc(buf_size);