Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf4f2526 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in btu_ble_ll_conn_param_upd_evt 

Bug: 260230274
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Id733a472236c005e30ff5c2b56b51d6e10fc9061
parent 5d323752

system/stack/btu/btu_hcif.cc

+6 −1
Original line number Diff line number Diff line
@@ -325,7 +325,7 @@ void btu_hcif_process_event(UNUSED_ATTR uint8_t controller_id, 
          btm_ble_process_adv_pkt(ble_evt_len, p);

          break;

        case HCI_BLE_LL_CONN_PARAM_UPD_EVT:

          btu_ble_ll_conn_param_upd_evt(p, hci_evt_len);

          btu_ble_ll_conn_param_upd_evt(p, ble_evt_len);

          break;

        case HCI_BLE_READ_REMOTE_FEAT_CMPL_EVT:

          btm_ble_read_remote_features_complete(p);
@@ -1611,6 +1611,11 @@ static void btu_ble_ll_conn_param_upd_evt(uint8_t* p, uint16_t evt_len) { 
  uint16_t latency;

  uint16_t timeout;



  if (evt_len < 9) {

     LOG_ERROR("Malformated event packet, too short");

     return;

  }



  STREAM_TO_UINT8(status, p);

  STREAM_TO_UINT16(handle, p);

  STREAM_TO_UINT16(interval, p);