From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Mon, 8 Jul 2024 22:42:18 +0000 Subject: [PATCH] Fix OOB write in build_read_multi_rsp of gatt_sr.cc build_read_multi_rsp is missing a bounds check, which can lead to an OOB write when the mtu parameter is set to zero. Add that bounds check. Bug: 323850943 Test: atest GattSrTest Test: researcher POC Tag: #security Flag: EXEMPT trivial validity checks Ignore-AOSP-First: Security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:c177fdbd6189a114239e11e2713740b5a50624e1) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f7171d31e247e3367b302374a3a0cf671f50ffcd) Merged-In: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 Change-Id: Icc8209aec68873c9821a36c579cd5df05c6ec8b8 --- stack/gatt/gatt_sr.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc index 252732c73..9a875d742 100644 --- a/stack/gatt/gatt_sr.cc +++ b/stack/gatt/gatt_sr.cc @@ -136,6 +136,14 @@ static bool process_read_multi_rsp(tGATT_SR_CMD* p_cmd, tGATT_STATUS status, /* Wait till we get all the responses */ if (fixed_queue_length(p_cmd->multi_rsp_q) == p_cmd->multi_req.num_handles) { + + // We need at least one extra byte for the opcode + if (mtu == 0) { + LOG(ERROR) << "Invalid MTU"; + p_cmd->status = GATT_ILLEGAL_PARAMETER; + return (true); + } + len = sizeof(BT_HDR) + L2CAP_MIN_OFFSET + mtu; p_buf = (BT_HDR*)osi_calloc(len); p_buf->offset = L2CAP_MIN_OFFSET;