Commit 03aad851 authored 1 year ago by Hui Peng Committed by Android Build Coastguard Worker 1 year ago

Fix an integer underflow in build_read_multi_rsp

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4

parent dfdb94d5

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 17 additions and 15 deletions

Please register or to comment