-
Brian Delwiche authored
At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Brian Delwiche authoredAt various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 7de5617f) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:130861eadc3d9eda593df949666e561dd1f020fc) Merged-In: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404 Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Code owners
Assign users and groups as approvers for specific file changes. Learn more.