Merge "Fix an OOB write in BTA_GATTS_HandleValueIndication" into tm-dev am:... (f1227636) · Commits · e / os / android_packages_modules_Bluetooth

system/bta/gatt/bta_gatts_api.cc

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -242,6 +242,12 @@ void BTA_GATTS_StopService(uint16_t service_id) {
	void BTA_GATTS_HandleValueIndication(uint16_t conn_id, uint16_t attr_id,		void BTA_GATTS_HandleValueIndication(uint16_t conn_id, uint16_t attr_id,
	std::vector<uint8_t> value,		std::vector<uint8_t> value,
	bool need_confirm) {		bool need_confirm) {

			if (value.size() > sizeof(tBTA_GATTS_API_INDICATION::value)) {
			LOG(ERROR) << __func__ << "data to indicate is too long";
			return;
			}

	tBTA_GATTS_API_INDICATION* p_buf =		tBTA_GATTS_API_INDICATION* p_buf =
	(tBTA_GATTS_API_INDICATION*)osi_calloc(sizeof(tBTA_GATTS_API_INDICATION));		(tBTA_GATTS_API_INDICATION*)osi_calloc(sizeof(tBTA_GATTS_API_INDICATION));