Skip to content
Snippets Groups Projects
Select Git revision
  • fifteen-qpr0
  • fourteen-qpr1
  • fourteen default
  • fifteen-qpr1
  • fifteen-qpr2
  • thirteen
  • staging/fourteen
7 results
Search by author
  • Any Author
  • Adithya R Adithya R adithya2306
  • Ali Ali ali-nasiri-80
  • Dhina17 Dhina17 Dhina17
  • electimon electimon electimon
  • Erfan Abdi Erfan Abdi erfanoabdi
  • Farzin Kazemzadeh Farzin Kazemzadeh itisFarzin
  • LMO BuildBot LMO BuildBot lmo-buildbot
  • LMO GerritBot LMO GerritBot lmo-gerritbot
  • Mohammad Hasan Keramat J Mohammad Hasan Keramat J ikeramat
  • Nick Nick nift4
10 authors
  1. Mar 28, 2023
    • tyiu's avatar
      Fix gatt_end_operation buffer overflow · 7236e449
      tyiu authored 
      Added boundary check for gatt_end_operation to prevent writing out of
boundary.

Since response of the GATT server is handled in
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
lenth that can be passed into the handlers is bounded by
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
that gaurentees MTU response to be less than or equal to 512 bytes can
cause a buffer overflow when performing memcpy without length check.

Bug: 261068592
Test: No test since not affecting behavior
Tag: #security
Ignore-AOSP-First: security

Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
      7236e449
  3. Mar 24, 2023
    • Hui Peng's avatar
      Fix a OOB bug in bta_hh_co_get_rpt_rsp · f173fcb4
      Hui Peng authored 
      Fix to the regression reported in b/264708304 and b/266585826 added:
The root cause of the regression, the sensor HAL layer expects the HID feature
reports to contain 40 bytes, even less bytes are contained in the data
field.

This updated fix restores the length of data fields with the len arg.

Bug: 259675705
Test: manual verification with a Pixel 6 and LinkBuds
Ignore-AOSP-First: security
Tag: security
Change-Id: I02f16c360965b049fc6c8fdfa0132b7aa54bc1d3
      f173fcb4
  5. Mar 13, 2023
  7. Mar 11, 2023
  9. Mar 06, 2023
  11. Feb 15, 2023
    • Brian Delwiche's avatar
      Validate buffer length in sdpu_build_uuid_seq · 367ed057
      Brian Delwiche authored 
      sdpu_build_uuid_seq accepts a UUID sequence of arbitrary length
but does not validate against the boundaries of the buffer it's
filling.  This can lead to an OOB write.

Add validation.

Bug: 239414876
Test: atest: bluetooth, validated against POC
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I6c0b91428bd37d73ae707b8a1843338998fb9562
      367ed057
  13. Feb 09, 2023
  15. Feb 07, 2023
  17. Feb 06, 2023
  19. Jan 31, 2023
  21. Jan 25, 2023
  23. Jan 19, 2023
  25. Jan 14, 2023
  27. Jan 12, 2023
  29. Jan 11, 2023
  31. Jan 10, 2023