Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2025-08-18 19:08:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

16: ASB picks

Browse source 
Signed-off-by: Tavi <tavi@divested.dev>
This commit is contained in:
Tavi 2024-03-13 20:34:31 -04:00
parent 8157086726
commit 3b2fde1dd6
No known key found for this signature in database
GPG key ID: E599F62ECBAEAF2E
8 changed files with 7 additions and 236 deletions
Download patch file Download diff file Expand all files Collapse all files

44
Patches/LineageOS-16.0/android_system_bt/381894.patch
View file

@ -1,44 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 00:53:33 +0000
Subject: [PATCH] Fix an OOB bug in btif_to_bta_response and
attp_build_value_cmd
this is a backport of Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:138120c65f9b5a03d462d01da9c5c7f71c875e1e)
Merged-In: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
Change-Id: Ia13e47e416d43243e90fb1430f65ae68c50f9ff3
---
btif/src/btif_gatt_util.cc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/btif/src/btif_gatt_util.cc b/btif/src/btif_gatt_util.cc
index 16f227511..a0798df15 100644
--- a/btif/src/btif_gatt_util.cc
+++ b/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@
#define LOG_TAG "bt_btif_gatt"
+#include <algorithm>
+
#include "btif_gatt_util.h"
#include <errno.h>
@@ -48,9 +50,9 @@ using bluetooth::Uuid;
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
p_dest->attr_value.handle = p_src->attr_value.handle;
- p_dest->attr_value.len = p_src->attr_value.len;
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
p_dest->attr_value.offset = p_src->attr_value.offset;
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
}
/*******************************************************************************

38
Patches/LineageOS-16.0/android_system_bt/381895.patch
View file

@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Wed, 29 Nov 2023 18:23:53 +0000
Subject: [PATCH] Fix an OOB write bug in attp_build_read_by_type_value_cmd
This is a backport of I2a95bbcce9a16ac84dd714eb4561428711a9872e
Bug: 297524203
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:9cdac321797cbe8214bc3f6294ca9a71a4be07a7)
Merged-In: I8c5daedb1605307df697ea5d875153dfcf3f5181
Change-Id: I8c5daedb1605307df697ea5d875153dfcf3f5181
---
stack/gatt/att_protocol.cc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/stack/gatt/att_protocol.cc b/stack/gatt/att_protocol.cc
index 142216cc9..5bd814c88 100644
--- a/stack/gatt/att_protocol.cc
+++ b/stack/gatt/att_protocol.cc
@@ -157,8 +157,14 @@ BT_HDR* attp_build_read_by_type_value_cmd(uint16_t payload_size,
tGATT_FIND_TYPE_VALUE* p_value_type) {
uint8_t* p;
uint16_t len = p_value_type->value_len;
- BT_HDR* p_buf =
- (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
+ BT_HDR* p_buf = nullptr;
+
+ if (payload_size < 5) {
+ return nullptr;
+ }
+
+ p_buf =
+ (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;
p_buf->offset = L2CAP_MIN_OFFSET;