Skip to content
Snippets Groups Projects
Commit c077ffbe authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Fix OOB read in btm_ble_periodic_av_sync_lost 

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5
parent e6d1eec3
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment