Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab6feafe authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Fix an OOB access bug in btm_vendor_specific_evt" into tm-dev am: cbea7ae0

parents e5db1de7 cbea7ae0
Loading
Loading
Loading
Loading
+15 −12
Original line number Diff line number Diff line
@@ -559,10 +559,12 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) {
  const uint8_t* bqr_ptr = p;
  uint8_t event_code;
  uint8_t len;

  if (evt_len >= 2) {
    STREAM_TO_UINT8(event_code, bqr_ptr);
    STREAM_TO_UINT8(len, bqr_ptr);
    // Check if there's at least a subevent code
  if (len > 1 && evt_len > 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {
    if (len > 1 && evt_len >= 2 + 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {
      uint8_t sub_event_code;
      STREAM_TO_UINT8(sub_event_code, bqr_ptr);
      if (sub_event_code == HCI_VSE_SUBCODE_BQR_SUB_EVT) {
@@ -594,6 +596,7 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) {
        }
      }
    }
  }

  for (i = 0; i < BTM_MAX_VSE_CALLBACKS; i++) {
    if (btm_cb.devcb.p_vend_spec_cb[i])