Fix an integer underflow in build_read_multi_rsp
When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len evaluates to true, integer underflow is triggered in the following line, resulting OOB access. ``` len = p_rsp->attr_value.len - (total_len - mtu); ``` Bug: 273874525 Test: manual Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23) Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4 Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Loading
Please register or sign in to comment