From 73827ac555cd4faa98510a18ee008ca78d142929 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 6 Dec 2022 01:36:30 +0000
Subject: [PATCH] Fix an OOB bug in btm_ble_add_resolving_list_entry_complete

Regression test: Ie8c6cb188cf7cde94d2f7dc0db04b3de51e08678

Bug: 260078907
Test: atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58
Change-Id: I4aec266e09e33e8a19a9e33715fdb7ed7f4d4f58
---
 system/stack/btm/btm_ble_privacy.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system/stack/btm/btm_ble_privacy.cc b/system/stack/btm/btm_ble_privacy.cc
index b2f26faf15c..f5839634b87 100644
--- a/system/stack/btm/btm_ble_privacy.cc
+++ b/system/stack/btm/btm_ble_privacy.cc
@@ -268,6 +268,12 @@ void btm_ble_clear_resolving_list_complete(uint8_t* p, uint16_t evt_len) {
  ******************************************************************************/
 void btm_ble_add_resolving_list_entry_complete(uint8_t* p, uint16_t evt_len) {
   uint8_t status;
+
+  if (evt_len < 1) {
+    BTM_TRACE_ERROR("malformatted event packet: containing zero bytes");
+    return;
+  }
+
   STREAM_TO_UINT8(status, p);
 
   BTM_TRACE_DEBUG("%s status = %d", __func__, status);
-- 
GitLab