Fix OOB writes in gatt_sr.cc
At various points in gatt_sr.cc, the output of the gatt_tcb_get_payload_size function is used without checking for a positive length. However, in exceptional cases it is possible for the channel to be closed at the time the function is called, which will lead to a zero length and cause an OOB write in subsequent processing. Fix all of these. Bug: 364026473 Bug: 364027038 Bug: 364027949 Bug: 364025411 Test: m libbluetooth Test: researcher POC Flag: EXEMPT trivial validity checks Tag: #security Ignore-AOSP-First: Security Change-Id: I9b30499d4aed6ab42f3cdb2c0de7df2c1a827404
Loading
Please register or sign in to comment