From fdaaa82de3a268c45f073949b2caccf6c0655552 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 18 Apr 2023 04:07:10 +0000
Subject: [PATCH] Fix an OOB write bug in gatt_process_notification

Bug: 276975913
Test: manual
Ignore-AOSP-First: security
Tag: security
Change-Id: I38353a573168e18f06b2b311e532a937044fd92f
---
 system/stack/gatt/gatt_cl.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system/stack/gatt/gatt_cl.cc b/system/stack/gatt/gatt_cl.cc
index 89218e42a22..536d489c4c6 100644
--- a/system/stack/gatt/gatt_cl.cc
+++ b/system/stack/gatt/gatt_cl.cc
@@ -753,6 +753,10 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
     // Make sure we don't read past the remaining data even if the length says
     // we can Also need to watch comparing the int16_t with the uint16_t
     value.len = std::min((uint16_t)rem_len, value.len);
+    if (value.len > sizeof(value.value)) {
+      LOG(ERROR) << "Unexpected value.len (>GATT_MAX_ATTR_LEN), stop";
+      return ;
+    }
     STREAM_TO_ARRAY(value.value, p, value.len);
     // Accounting
     rem_len -= value.len;
-- 
GitLab