From 397c1e928552db0b5ae642885e8475de27e47822 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Fri, 28 Apr 2023 02:42:22 +0000
Subject: [PATCH] Fix multiple OOB bugs in btm_ble_gap.cc

Bug: 275057843
Bug: 275057678
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3bb913ee8c7da4602798db754045c0fac57afecf)
Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a
---
 system/stack/btm/btm_ble_gap.cc | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/system/stack/btm/btm_ble_gap.cc b/system/stack/btm/btm_ble_gap.cc
index 55987afeda1..ea608c8e235 100644
--- a/system/stack/btm/btm_ble_gap.cc
+++ b/system/stack/btm/btm_ble_gap.cc
@@ -979,6 +979,12 @@ void btm_ble_start_sync_request(uint8_t sid, RawAddress addr, uint16_t skip,
   uint8_t options = 0;
   uint8_t cte_type = 7;
   int index = btm_ble_get_psync_index(sid, addr);
+
+  if (index == MAX_SYNC_TRANSACTION) {
+    LOG_ERROR("Failed to get sync transfer index");
+    return;
+  }
+
   tBTM_BLE_PERIODIC_SYNC* p = &btm_ble_pa_sync_cb.p_sync[index];
   p->sync_state = PERIODIC_SYNC_PENDING;
 
@@ -1052,6 +1058,11 @@ static void btm_ble_start_sync_timeout(void* data) {
 
   int index = btm_ble_get_psync_index(adv_sid, address);
 
+  if (index == MAX_SYNC_TRANSACTION) {
+    LOG_ERROR("Failed to get sync transfer index");
+    return;
+  }
+
   tBTM_BLE_PERIODIC_SYNC* p = &btm_ble_pa_sync_cb.p_sync[index];
 
   if (BleScanningManager::IsInitialized()) {
@@ -1255,11 +1266,14 @@ void BTM_BleStartPeriodicSync(uint8_t adv_sid, RawAddress address,
                               SyncLostCb lostCb, BigInfoReportCb biginfo_reportCb) {
   LOG_DEBUG("%s", "[PSync]");
   int index = btm_ble_get_free_psync_index();
-  tBTM_BLE_PERIODIC_SYNC* p = &btm_ble_pa_sync_cb.p_sync[index];
+
   if (index == MAX_SYNC_TRANSACTION) {
     syncCb.Run(BTM_NO_RESOURCES, 0, adv_sid, BLE_ADDR_RANDOM, address, 0, 0);
     return;
   }
+
+  tBTM_BLE_PERIODIC_SYNC* p = &btm_ble_pa_sync_cb.p_sync[index];
+
   p->in_use = true;
   p->remote_bda = address;
   p->sid = adv_sid;
@@ -1392,6 +1406,12 @@ void BTM_BlePeriodicSyncTransfer(RawAddress addr, uint16_t service_data,
   }
 
   int index = btm_ble_get_free_sync_transfer_index();
+  if (index == MAX_SYNC_TRANSACTION) {
+    BTM_TRACE_ERROR("Failed to get sync transfer index");
+    cb.Run(BTM_ILLEGAL_VALUE, addr);
+    return;
+  }
+
   tBTM_BLE_PERIODIC_SYNC_TRANSFER* p_sync_transfer =
       &btm_ble_pa_sync_cb.sync_transfer[index];
   p_sync_transfer->in_use = true;
@@ -1431,6 +1451,12 @@ void BTM_BlePeriodicSyncSetInfo(RawAddress addr, uint16_t service_data,
   }
 
   int index = btm_ble_get_free_sync_transfer_index();
+  if (index == MAX_SYNC_TRANSACTION) {
+    BTM_TRACE_ERROR("Failed to get sync transfer index");
+    cb.Run(BTM_ILLEGAL_VALUE, addr);
+    return;
+  }
+
   tBTM_BLE_PERIODIC_SYNC_TRANSFER* p_sync_transfer =
       &btm_ble_pa_sync_cb.sync_transfer[index];
   p_sync_transfer->in_use = true;
-- 
GitLab