Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c39168b4 authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Fix integer overflow in att_protocol.cc 

attp_build_read_multi_cmd uses a uint8 for a loop index, but compares it
against a uint16.  While this does not currently appear externally
reachable, in fuzzing this permits an invalid comparison which
eventually produces OOB write once the loop overruns the buffer.

Change the types to match.

Bug: 274634263
Test: m libbluetooth
Test: gatt_fuzzer testcase as specified in bug
Flag: EXEMPT trivial integer overflow
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I911673621bd3676f01eda43a91b0efa7e894935b
parent 56fb0e31
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment