From d2e67f50fc14bae3c4e559c7f254d8341379e8c2 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 7 Dec 2022 23:48:37 +0000
Subject: [PATCH] Fix an OOB bug in bta_hh_co_get_rpt_rsp

Bug: 259675705
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I13be3103903631de4a0fa2080151bc89884c65c9
Change-Id: I13be3103903631de4a0fa2080151bc89884c65c9
---
 system/btif/co/bta_hh_co.cc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/system/btif/co/bta_hh_co.cc b/system/btif/co/bta_hh_co.cc
index aeaf277b8ec..4b7cef77020 100644
--- a/system/btif/co/bta_hh_co.cc
+++ b/system/btif/co/bta_hh_co.cc
@@ -659,15 +659,16 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt,
     ev.type = UHID_FEATURE_ANSWER;
     ev.u.feature_answer.id = *get_rpt_id;
     ev.u.feature_answer.err = status;
-    ev.u.feature_answer.size = len;
+    ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET;
     osi_free(get_rpt_id);
-    if (len > 0) {
-      if (len > UHID_DATA_MAX) {
+    if (len > GET_RPT_RSP_OFFSET) {
+      if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) {
         APPL_TRACE_WARNING("%s: Report size greater than allowed size",
                            __func__);
         return;
       }
-      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len);
+      memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET,
+             len - GET_RPT_RSP_OFFSET);
       uhid_write(p_dev->fd, &ev);
     }
   }
-- 
GitLab