Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbd88e88 authored by Hui Peng's avatar Hui Peng
Browse files

Fix a type confusion bug in bta_av_setconfig_rej 

tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG
in bta_av_setconfig_rej, resulting OOB access.

Bug: 260230151
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: I78a1ee50dea0113381e51f8521711d758dc759cf
Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf
parent c2166e96

system/bta/av/bta_av_aact.cc

+3 −3
Original line number Diff line number Diff line
@@ -1740,14 +1740,14 @@ void bta_av_getcap_results(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { 
 ******************************************************************************/

void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) {

  tBTA_AV_REJECT reject;

  uint8_t avdt_handle = p_data->ci_setconfig.avdt_handle;



  bta_av_adjust_seps_idx(p_scb, avdt_handle);

  bta_av_adjust_seps_idx(p_scb, p_scb->avdt_handle);



  LOG_INFO("%s: sep_idx=%d avdt_handle=%d bta_handle=0x%x", __func__,

           p_scb->sep_idx, p_scb->avdt_handle, p_scb->hndl);

  AVDT_ConfigRsp(p_scb->avdt_handle, p_scb->avdt_label, AVDT_ERR_UNSUP_CFG, 0);



  reject.bd_addr = p_data->str_msg.bd_addr;

  reject.bd_addr = p_scb->PeerAddress();

  reject.hndl = p_scb->hndl;



  tBTA_AV bta_av_data;