Skip to content
Snippets Groups Projects
Commit acb14e20 authored by Hui Peng's avatar Hui Peng
Browse files

Fix an OOB bug in dis_c_cmpl_cback 

This change can be tested with gatt sanity tests.

Bug: 254839585
Test: m com.android.btservices
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ic2f45486cfff5ddee3a5a0908ab028d464ee80f5
parent 269c90fc
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
system/stack/srvc/srvc_dis.cc
+ 8
1
View file @ acb14e20
...@@ -260,10 +260,17 @@ bool dis_gatt_c_read_dis_req(uint16_t conn_id) { ...@@ -260,10 +260,17 @@ bool dis_gatt_c_read_dis_req(uint16_t conn_id) {
******************************************************************************/ ******************************************************************************/
void dis_c_cmpl_cback(tSRVC_CLCB* p_clcb, tGATTC_OPTYPE op, tGATT_STATUS status, void dis_c_cmpl_cback(tSRVC_CLCB* p_clcb, tGATTC_OPTYPE op, tGATT_STATUS status,
tGATT_CL_COMPLETE* p_data) { tGATT_CL_COMPLETE* p_data) {
uint16_t read_type = dis_attr_uuid[dis_cb.dis_read_uuid_idx]; uint16_t read_type;
uint8_t *pp = NULL, *p_str; uint8_t *pp = NULL, *p_str;
uint16_t conn_id = p_clcb->conn_id; uint16_t conn_id = p_clcb->conn_id;
if (dis_cb.dis_read_uuid_idx >= (sizeof(dis_attr_uuid)/sizeof(dis_attr_uuid[0]))) {
LOG(ERROR) << "invalid dis_cb.dis_read_uuid_idx";
return;
}
read_type = dis_attr_uuid[dis_cb.dis_read_uuid_idx];
VLOG(1) << __func__ VLOG(1) << __func__
<< StringPrintf("op_code: 0x%02x status: 0x%02x read_type: 0x%04x", << StringPrintf("op_code: 0x%02x status: 0x%02x read_type: 0x%04x",
op, status, read_type); op, status, read_type);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment