Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab6feafe authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Fix an OOB access bug in btm_vendor_specific_evt" into tm-dev am: cbea7ae0 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/20813131



Change-Id: Ia00493cb41a61a570c8c2fb001a1b55707aa4a01
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents e5db1de7 cbea7ae0

system/stack/btm/btm_devctl.cc

+15 −12
Original line number Diff line number Diff line
@@ -559,10 +559,12 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) { 
  const uint8_t* bqr_ptr = p;

  uint8_t event_code;

  uint8_t len;



  if (evt_len >= 2) {

    STREAM_TO_UINT8(event_code, bqr_ptr);

    STREAM_TO_UINT8(len, bqr_ptr);

    // Check if there's at least a subevent code

  if (len > 1 && evt_len > 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {

    if (len > 1 && evt_len >= 2 + 1 && event_code == HCI_VENDOR_SPECIFIC_EVT) {

      uint8_t sub_event_code;

      STREAM_TO_UINT8(sub_event_code, bqr_ptr);

      if (sub_event_code == HCI_VSE_SUBCODE_BQR_SUB_EVT) {
@@ -594,6 +596,7 @@ void btm_vendor_specific_evt(const uint8_t* p, uint8_t evt_len) { 
        }

      }

    }

  }



  for (i = 0; i < BTM_MAX_VSE_CALLBACKS; i++) {

    if (btm_cb.devcb.p_vend_spec_cb[i])