Skip to content
Snippets Groups Projects
Commit c0bac7ff authored by Hui Peng's avatar Hui Peng Committed by Automerger Merge Worker
Browse files

Merge "Fix an integer underflow in build_read_multi_rsp" into tm-dev am: 82ce3fef am: 83b5e1ad 

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/23252652



Change-Id: Ia97a8ab9d7954b70f3954dee27c35e76a8f98205
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents cb9ab4b8 83b5e1ad
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
system/stack/gatt/gatt_sr.cc
+ 17
15
View file @ c0bac7ff
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
* this file contains the GATT server functions * this file contains the GATT server functions
* *
******************************************************************************/ ******************************************************************************/
#include <algorithm>
#include <string.h> #include <string.h>
#include "bt_target.h" #include "bt_target.h"
...@@ -178,37 +179,38 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) { ...@@ -178,37 +179,38 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
} }
if (p_rsp != NULL) { if (p_rsp != NULL) {
total_len = (p_buf->len + p_rsp->attr_value.len); total_len = p_buf->len;
if (p_cmd->multi_req.variable_len) { if (p_cmd->multi_req.variable_len) {
total_len += 2; total_len += 2;
} }
if (total_len > mtu) { if (total_len > mtu) {
/* just send the partial response for the overflow case */ VLOG(1) << "Buffer space not enough for this data item, skipping";
len = p_rsp->attr_value.len - (total_len - mtu); break;
}
len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
if (len == 0) {
VLOG(1) << "Buffer space not enough for this data item, skipping";
break;
}
if (len < p_rsp->attr_value.len) {
is_overflow = true; is_overflow = true;
VLOG(1) << StringPrintf( VLOG(1) << StringPrintf(
"multi read overflow available len=%zu val_len=%d", len, "multi read overflow available len=%zu val_len=%d", len,
p_rsp->attr_value.len); p_rsp->attr_value.len);
} else {
len = p_rsp->attr_value.len;
} }
if (p_cmd->multi_req.variable_len) { if (p_cmd->multi_req.variable_len) {
UINT16_TO_STREAM(p, len); UINT16_TO_STREAM(p, (uint16_t) len);
p_buf->len += 2; p_buf->len += 2;
} }
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) { if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
// check for possible integer overflow ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
if (p_buf->len + len <= UINT16_MAX) { p_buf->len += (uint16_t) len;
memcpy(p, p_rsp->attr_value.value, len);
if (!is_overflow) p += len;
p_buf->len += len;
} else {
p_cmd->status = GATT_NOT_FOUND;
break;
}
} else { } else {
p_cmd->status = GATT_NOT_FOUND; p_cmd->status = GATT_NOT_FOUND;
break; break;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment