Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d5ec5273 authored by Hui Peng's avatar Hui Peng
Browse files

Fix a type confusion bug in bta_av_setconfig_rej 

tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG
in bta_av_setconfig_rej, resulting OOB access.

Bug: 260230151
Test: manual
Ignore-AOSP-First: security
Tag: #security
Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf
parent 63d140fa

system/bta/av/bta_av_aact.cc

+2 −4
Original line number Diff line number Diff line
@@ -1785,9 +1785,7 @@ void bta_av_getcap_results(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { 
 *

 ******************************************************************************/

void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) {

  uint8_t avdt_handle = p_data->ci_setconfig.avdt_handle;



  bta_av_adjust_seps_idx(p_scb, avdt_handle);

  bta_av_adjust_seps_idx(p_scb, p_scb->avdt_handle);

  LOG_INFO("%s: sep_idx=%d avdt_handle=%d bta_handle=0x%x", __func__,

           p_scb->sep_idx, p_scb->avdt_handle, p_scb->hndl);

  AVDT_ConfigRsp(p_scb->avdt_handle, p_scb->avdt_label, AVDT_ERR_UNSUP_CFG, 0);
@@ -1795,7 +1793,7 @@ void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) { 
  tBTA_AV bta_av_data = {

      .reject =

          {

              .bd_addr = p_data->str_msg.bd_addr,

              .bd_addr = p_scb->PeerAddress(),

              .hndl = p_scb->hndl,

          },

  };