Skip to content
Snippets Groups Projects
Commit 57b823f4 authored by Hui Peng's avatar Hui Peng Committed by Android Build Coastguard Worker
Browse files

Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
parent 92cc886f
No related branches found
No related tags found
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment