From bbd88e88ce749aab87178e189a05e5a356d0631c Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Thu, 27 Apr 2023 00:50:26 +0000
Subject: [PATCH] Fix a type confusion bug in bta_av_setconfig_rej

tBTA_AV_CI_SETCONFIG is treated as tBTA_AV_STR_MSG
in bta_av_setconfig_rej, resulting OOB access.

Bug: 260230151
Test: manual
Ignore-AOSP-First: security
Tag: #security
Merged-In: I78a1ee50dea0113381e51f8521711d758dc759cf
Change-Id: I78a1ee50dea0113381e51f8521711d758dc759cf
---
 system/bta/av/bta_av_aact.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/system/bta/av/bta_av_aact.cc b/system/bta/av/bta_av_aact.cc
index 9e48782172b..016428e360a 100644
--- a/system/bta/av/bta_av_aact.cc
+++ b/system/bta/av/bta_av_aact.cc
@@ -1740,14 +1740,14 @@ void bta_av_getcap_results(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) {
  ******************************************************************************/
 void bta_av_setconfig_rej(tBTA_AV_SCB* p_scb, tBTA_AV_DATA* p_data) {
   tBTA_AV_REJECT reject;
-  uint8_t avdt_handle = p_data->ci_setconfig.avdt_handle;
 
-  bta_av_adjust_seps_idx(p_scb, avdt_handle);
+  bta_av_adjust_seps_idx(p_scb, p_scb->avdt_handle);
+
   LOG_INFO("%s: sep_idx=%d avdt_handle=%d bta_handle=0x%x", __func__,
            p_scb->sep_idx, p_scb->avdt_handle, p_scb->hndl);
   AVDT_ConfigRsp(p_scb->avdt_handle, p_scb->avdt_label, AVDT_ERR_UNSUP_CFG, 0);
 
-  reject.bd_addr = p_data->str_msg.bd_addr;
+  reject.bd_addr = p_scb->PeerAddress();
   reject.hndl = p_scb->hndl;
 
   tBTA_AV bta_av_data;
-- 
GitLab