Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d6cba949 authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd am: 59c9e84b am: 3a9e8036 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/22948134



Change-Id: I3f0dc5f54bf57c298396a271a29e22c85d956e21
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 34cb3892 3a9e8036

system/btif/src/btif_gatt_util.cc

+4 −2
Original line number Diff line number Diff line
@@ -18,6 +18,8 @@ 


#define LOG_TAG "bt_btif_gatt"



#include <algorithm>



#include "btif_gatt_util.h"



#include <errno.h>
@@ -52,9 +54,9 @@ using bluetooth::Uuid; 
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {

  p_dest->attr_value.auth_req = p_src->attr_value.auth_req;

  p_dest->attr_value.handle = p_src->attr_value.handle;

  p_dest->attr_value.len = p_src->attr_value.len;

  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);

  p_dest->attr_value.offset = p_src->attr_value.offset;

  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);

  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);

}



/*******************************************************************************