Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e5ab6c61 authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Fix OOB write in build_read_multi_rsp of gatt_sr.cc 

build_read_multi_rsp is missing a bounds check, which can lead to an
OOB write when the mtu parameter is set to zero.

Add that bounds check.

Bug: 323850943
Test: atest GattSrTest
Test: researcher POC
Tag: #security
Flag: EXEMPT trivial validity checks
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cad927034a371b82a4a07a16ec442eb261f6153f)
Merged-In: I18e4325dbc9d6814220332288c85b114d0415c2f
Change-Id: I18e4325dbc9d6814220332288c85b114d0415c2f
parent d477f5ed

system/stack/eatt/eatt.h

+1 −0
Original line number Diff line number Diff line
@@ -98,6 +98,7 @@ class EattChannel { 


  void EattChannelSetTxMTU(uint16_t tx_mtu) {

    this->tx_mtu_ = std::min<uint16_t>(tx_mtu, EATT_MAX_TX_MTU);

    this->tx_mtu_ = std::max<uint16_t>(this->tx_mtu_, EATT_MIN_MTU_MPS);

  }

};

system/stack/gatt/gatt_sr.cc

+7 −0
Original line number Diff line number Diff line
@@ -148,6 +148,13 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) { 
  uint8_t* p;

  bool is_overflow = false;



  // We need at least one extra byte for the opcode

  if (mtu == 0) {

    LOG(ERROR) << "Invalid MTU";

    p_cmd->status = GATT_ILLEGAL_PARAMETER;

    return;

  }



  len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu;

  BT_HDR* p_buf = (BT_HDR*)osi_calloc(len);

  p_buf->offset = L2CAP_MIN_OFFSET;