Skip to content
Snippets Groups Projects
Commit 85f4d53c authored by Hui Peng's avatar Hui Peng
Browse files

Fix an integer underflow in build_read_multi_rsp 

When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.

```
 len = p_rsp->attr_value.len - (total_len - mtu);
```

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security

Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
parent 0db5f1b1
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment