Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit daf53547 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge "Checks the SMP length to fix OOB read" into nyc-dev

parents 3ee9ccdf 9a1046a4

system/stack/smp/smp_act.c

+17 −1
Original line number Diff line number Diff line
@@ -1011,6 +1011,14 @@ void smp_proc_enc_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 
    UINT8   *p = (UINT8 *)p_data;



    SMP_TRACE_DEBUG("%s", __func__);



    if (smp_command_has_invalid_parameters(p_cb)) {

        uint8_t reason = SMP_INVALID_PARAMETERS;

        android_errorWriteLog(0x534e4554, "111937065");

        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);

        return;

    }



    STREAM_TO_ARRAY(p_cb->ltk, p, BT_OCTET16_LEN);



    smp_key_distribution(p_cb, NULL);
@@ -1052,7 +1060,7 @@ void smp_proc_master_id(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 
}



/*******************************************************************************

** Function     smp_proc_enc_info

** Function     smp_proc_id_info

** Description  process identity information from peer device

*******************************************************************************/

void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
@@ -1060,6 +1068,14 @@ void smp_proc_id_info(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) 
    UINT8   *p = (UINT8 *)p_data;



    SMP_TRACE_DEBUG("%s", __func__);



    if (smp_command_has_invalid_parameters(p_cb)) {

        uint8_t reason = SMP_INVALID_PARAMETERS;

        android_errorWriteLog(0x534e4554, "111937065");

        smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);

        return;

    }



    STREAM_TO_ARRAY (p_cb->tk, p, BT_OCTET16_LEN);   /* reuse TK for IRK */

    smp_key_distribution_by_transport(p_cb, NULL);

}