DivestOS/Patches/LineageOS-16.0/android_system_bt/345914.patch
Tavi 082bc48c32
16.0: Import and verify picks
https://review.lineageos.org/q/topic:P_asb_2022-05
https://review.lineageos.org/q/topic:P_asb_2022-06
https://review.lineageos.org/q/topic:P_asb_2022-07
https://review.lineageos.org/q/topic:P_asb_2022-08
https://review.lineageos.org/q/topic:P_asb_2022-09
https://review.lineageos.org/q/topic:P_asb_2022-10
https://review.lineageos.org/q/topic:P_asb_2022-11
https://review.lineageos.org/q/topic:P_asb_2022-12
https://review.lineageos.org/q/topic:P_asb_2023-01
https://review.lineageos.org/q/topic:P_asb_2023-02
https://review.lineageos.org/q/topic:P_asb_2023-03
https://review.lineageos.org/q/topic:P_asb_2023-04
https://review.lineageos.org/q/topic:P_asb_2023-05
https://review.lineageos.org/q/topic:P_asb_2023-06
https://review.lineageos.org/q/topic:P_asb_2023-07
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250
https://review.lineageos.org/q/topic:P_asb_2023-08
	accounted for via manifest change:
	https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328
https://review.lineageos.org/q/topic:P_asb_2023-09
https://review.lineageos.org/q/topic:P_asb_2023-10
https://review.lineageos.org/q/topic:P_asb_2023-11
	accounted for via patches:
	https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916
https://review.lineageos.org/q/topic:P_asb_2023-12
https://review.lineageos.org/q/topic:P_asb_2024-01
https://review.lineageos.org/q/topic:P_asb_2024-02
https://review.lineageos.org/q/topic:P_asb_2024-03
https://review.lineageos.org/q/topic:P_asb_2024-04

Signed-off-by: Tavi <tavi@divested.dev>
2024-05-07 19:43:19 -04:00

33 lines
1.2 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 Aug 2022 09:41:24 +0800
Subject: [PATCH] Add length check when copy AVDTP packet
Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f)
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
---
stack/avdt/avdt_msg.cc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/stack/avdt/avdt_msg.cc b/stack/avdt/avdt_msg.cc
index cf517d125..e1ba9aefb 100644
--- a/stack/avdt/avdt_msg.cc
+++ b/stack/avdt/avdt_msg.cc
@@ -1223,6 +1223,10 @@ BT_HDR* avdt_msg_asmbl(AvdtpCcb* p_ccb, BT_HDR* p_buf) {
* would have allocated smaller buffer.
*/
p_ccb->p_rx_msg = (BT_HDR*)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE) {
+ android_errorWriteLog(0x534e4554, "232023771");
+ return NULL;
+ }
memcpy(p_ccb->p_rx_msg, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
/* Free original buffer */