From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: balakrishna Date: Wed, 24 May 2023 13:28:21 +0530 Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc Root cause: if the length of "pin_code" is greater than 16, an OOBW will be triggered due to a missing bounds check. Fix: Check is added to avoid Out of Bound Write. Change-Id: Ie63019ab98e0b1896dcf37f6dcbd61b810477193 --- btif/src/bluetooth.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc index b1d0c9a6f..30985ded3 100644 --- a/btif/src/bluetooth.cc +++ b/btif/src/bluetooth.cc @@ -292,6 +292,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len, bt_pin_code_t tmp_pin_code; /* sanity check */ if (!interface_ready()) return BT_STATUS_NOT_READY; + if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; memcpy(&tmp_pin_code, pin_code, pin_len); return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);