From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Hui Peng Date: Wed, 28 Dec 2022 00:32:37 +0000 Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084 Bug: 258652631 Test: manual Tag: #security Ignore-AOSP-First: security Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66 (cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03) Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66 --- stack/gatt/gatt_cl.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc index 9a28ff04a..014240888 100644 --- a/stack/gatt/gatt_cl.cc +++ b/stack/gatt/gatt_cl.cc @@ -569,7 +569,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d", gatt_dbg_op_name(op_code), len); - if (len < GATT_PREP_WRITE_RSP_MIN_LEN) { + if (len < GATT_PREP_WRITE_RSP_MIN_LEN || + len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) { LOG(ERROR) << "illegal prepare write response length, discard"; gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value); return; @@ -578,7 +579,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, STREAM_TO_UINT16(value.handle, p); STREAM_TO_UINT16(value.offset, p); - value.len = len - 4; + value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN; memcpy(value.value, p, value.len);