mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-27 19:56:32 +00:00
32 lines
1012 B
Diff
32 lines
1012 B
Diff
|
From e446be9bf42b2559add74d48b91bae52b828e24f Mon Sep 17 00:00:00 2001
|
||
|
|
From: balakrishna <quic_kunthumu@quicinc.com>
|
||
|
|
Date: Wed, 24 May 2023 13:28:21 +0530
|
||
|
|
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
|
||
|
|
|
||
|
|
Root cause:
|
||
|
|
if the length of "pin_code" is greater than 16,
|
||
|
|
an OOBW will be triggered due to a missing bounds check.
|
||
|
|
|
||
|
|
Fix:
|
||
|
|
Check is added to avoid Out of Bound Write.
|
||
|
|
|
||
|
|
CRs-Fixed: 3507292
|
||
|
|
Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
|
||
|
|
---
|
||
|
|
btif/src/bluetooth.c | 2 ++
|
||
|
|
1 file changed, 2 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/btif/src/bluetooth.c b/btif/src/bluetooth.c
|
||
|
|
index d2f81733da4..5fc6c880db0 100644
|
||
|
|
--- a/btif/src/bluetooth.c
|
||
|
|
+++ b/btif/src/bluetooth.c
|
||
|
|
@@ -345,6 +345,8 @@ static int pin_reply(const bt_bdaddr_t *bd_addr, uint8_t accept,
|
||
|
|
/* sanity check */
|
||
|
|
if (interface_ready() == FALSE)
|
||
|
|
return BT_STATUS_NOT_READY;
|
||
|
|
+ if (pin_code == NULL || pin_len > PIN_CODE_LEN)
|
||
|
|
+ return BT_STATUS_FAIL;
|
||
|
|
|
||
|
|
return btif_dm_pin_reply(bd_addr, accept, pin_len, pin_code);
|
||
|
|
}
|