Fix integer overflow in build_read_multi_rsp
Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715 (cherry picked from commit 70a4d628)
Loading
Please register or sign in to comment