Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd

1. The size of `p_src->attr_value.value` is dependent on `p_src->attr_value.len`. While copying `p_src->attr_value.value`, to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN bytes, it may result in OOB read in `p_src->attr_value.value`; 2. As the `p_dest->attr_value.len` does not map the length of `p_dest->attr_value.value`, it may result in OOB read in attp_build_value_cmd; Bug: 276898739 Test: manual Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59) Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368

Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
67241b75 · Hui Peng · Android Build Coastguard Worker · c3717d75 · 67241b75
Commit 67241b75 authored 1 year ago by Hui Peng Committed by Android Build Coastguard Worker 1 year ago
--- a/system/btif/src/btif_gatt_util.cc
+++ b/system/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@

 #define LOG_TAG "bt_btif_gatt"

+#include <algorithm>
+
 #include "btif_gatt_util.h"

 #include <errno.h>
@@ -52,9 +54,9 @@ using bluetooth::Uuid;
 void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
  p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
  p_dest->attr_value.handle = p_src->attr_value.handle;
-  p_dest->attr_value.len = p_src->attr_value.len;
+  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
  p_dest->attr_value.offset = p_src->attr_value.offset;
-  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
 }

 /*******************************************************************************