Fix an OOB bug in bta_gattc_read_multi (daeb4479) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/gatt/bta_gattc_act.cc

+5 −0

Original line number	Diff line number	Diff line
		@@ -1014,6 +1014,11 @@ void bta_gattc_read_multi(tBTA_GATTC_CLCB* p_clcb,
		const tBTA_GATTC_DATA* p_data) {
		if (bta_gattc_enqueue(p_clcb, p_data) == ENQUEUED_FOR_LATER) return;

		if (p_data->api_read_multi.num_attr > GATT_MAX_READ_MULTI_HANDLES) {
		LOG(ERROR) << "api_read_multi.num_attr > GATT_MAX_READ_MULTI_HANDLES";
		return;
		}

		tGATT_READ_PARAM read_param;
		memset(&read_param, 0, sizeof(tGATT_READ_PARAM));