From acb14e20cee2de1dd2952663fea1a62f4a92aadc Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 29 Apr 2023 20:37:57 +0000
Subject: [PATCH] Fix an OOB bug in dis_c_cmpl_cback

This change can be tested with gatt sanity tests.

Bug: 254839585
Test: m com.android.btservices
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ic2f45486cfff5ddee3a5a0908ab028d464ee80f5
---
 system/stack/srvc/srvc_dis.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/system/stack/srvc/srvc_dis.cc b/system/stack/srvc/srvc_dis.cc
index 62cfd7c4983..3b5d6f1f520 100644
--- a/system/stack/srvc/srvc_dis.cc
+++ b/system/stack/srvc/srvc_dis.cc
@@ -260,10 +260,17 @@ bool dis_gatt_c_read_dis_req(uint16_t conn_id) {
  ******************************************************************************/
 void dis_c_cmpl_cback(tSRVC_CLCB* p_clcb, tGATTC_OPTYPE op, tGATT_STATUS status,
                       tGATT_CL_COMPLETE* p_data) {
-  uint16_t read_type = dis_attr_uuid[dis_cb.dis_read_uuid_idx];
+  uint16_t read_type;
   uint8_t *pp = NULL, *p_str;
   uint16_t conn_id = p_clcb->conn_id;
 
+  if (dis_cb.dis_read_uuid_idx >= (sizeof(dis_attr_uuid)/sizeof(dis_attr_uuid[0]))) {
+    LOG(ERROR) << "invalid dis_cb.dis_read_uuid_idx";
+    return;
+  }
+
+  read_type = dis_attr_uuid[dis_cb.dis_read_uuid_idx];
+
   VLOG(1) << __func__
           << StringPrintf("op_code: 0x%02x  status: 0x%02x read_type: 0x%04x",
                           op, status, read_type);
-- 
GitLab