Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0797801 authored by Treehugger Robot's avatar Treehugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Reland: Fix an OOB write bug in attp_build_value_cmd" into aosp-main-future

parents 1eee5fa9 816d5a95

system/stack/gatt/att_protocol.cc

+13 −12
Original line number Diff line number Diff line
@@ -290,9 +290,10 @@ static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, 
  size_t pair_len;

  size_t size_now = 1;



  #define CHECK_SIZE() do {                      \

#define CHECK_SIZE()                       \

  do {                                     \

    if (size_now > payload_size) {         \

      LOG(ERROR) << "payload size too small";    \

      LOG_ERROR("payload size too small"); \

      osi_free(p_buf);                     \

      return nullptr;                      \

    }                                      \
@@ -308,7 +309,7 @@ static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, 
  p_buf->offset = L2CAP_MIN_OFFSET;



  if (op_code == GATT_RSP_READ_BY_TYPE) {

    p_pair_len = p;

    p_pair_len = p++;

    pair_len = len + 2;

    size_now += 1;

    CHECK_SIZE();
@@ -327,7 +328,7 @@ static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, 
    UINT16_TO_STREAM(p, offset);

  }



  if (len > 0 && p_data != NULL && payload_size > size_now) {

  if (len > 0 && p_data != NULL) {

    /* ensure data not exceed MTU size */

    if (payload_size - size_now < len) {

      len = payload_size - size_now;
@@ -348,7 +349,7 @@ static BT_HDR* attp_build_value_cmd(uint16_t payload_size, uint8_t op_code, 
  // backfill pair len field

  if (op_code == GATT_RSP_READ_BY_TYPE) {

    if (pair_len > UINT8_MAX) {

      LOG(ERROR) << "pair_len greater than" << UINT8_MAX;

      LOG_ERROR("pair_len greater than %d", UINT8_MAX);

      osi_free(p_buf);

      return nullptr;

    }