Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit d3cf1ced authored by Martin Brabham's avatar Martin Brabham Committed by Android Build Coastguard Worker
Browse files

Security Fix: Crafted GATT request causes BT stack crash 

A while loop and condition check for the value of a type to be 0
when in fact since the value.len is arbitrary it could make the
remaining length "less than 0" and since the type is unsigned it'll
never be "less than 0."

Use signed type for loop and conditional checking.

Additionally, make sure the value.len when used to read an array is not
more than the remaining length of the data.

Bug: 197536150
Test: poc application
Tag: #security
Change-Id: I20d66ddd1055577d7d39aba447233c19081bb789
(cherry picked from commit 61570b9d)
parent 8709840c
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment