Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bf9449a7 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an integer overflow bug in avdt_msg_asmbl 

Bug: 280633699
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: Iaa4d603921fc4ffb8cfb5783f99ec0963affd6a2
parent 648f7433

system/stack/avdt/avdt_msg.cc

+2 −2
Original line number Diff line number Diff line
@@ -1290,14 +1290,14 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) { 
       * NOTE: The buffer is allocated above at the beginning of the

       * reassembly, and is always of size BT_DEFAULT_BUFFER_SIZE.

       */

      uint16_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);

      size_t buf_len = BT_DEFAULT_BUFFER_SIZE - sizeof(BT_HDR);



      /* adjust offset and len of fragment for header byte */

      p_buf->offset += AVDT_LEN_TYPE_CONT;

      p_buf->len -= AVDT_LEN_TYPE_CONT;



      /* verify length */

      if ((p_ccb->p_rx_msg->offset + p_buf->len) > buf_len) {

      if (((size_t) p_ccb->p_rx_msg->offset + (size_t) p_buf->len) > buf_len) {

        /* won't fit; free everything */

        AVDT_TRACE_WARNING("%s: Fragmented message too big!", __func__);

        osi_free_and_reset((void**)&p_ccb->p_rx_msg);