Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
1. The size of `p_src->attr_value.value` is dependent on `p_src->attr_value.len`. While copying `p_src->attr_value.value`, to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN bytes, it may result in OOB read in `p_src->attr_value.value`; 2. As the `p_dest->attr_value.len` does not map the length of `p_dest->attr_value.value`, it may result in OOB read in attp_build_value_cmd; Bug: 276898739 Test: manual Tag: #security Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59) Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368 Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Please register or sign in to comment