DivestOS/Patches/LineageOS-14.1/android_system_bt/360892.patch

From fa5c4429ae75e687b87313b79512c4a90f90ee3b Mon Sep 17 00:00:00 2001
From: tyiu <tyiu@google.com>
Date: Tue, 28 Mar 2023 18:40:51 +0000
Subject: [PATCH] Fix gatt_end_operation buffer overflow

Added boundary check for gatt_end_operation to prevent writing out of
boundary.

Since response of the GATT server is handled in
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
lenth that can be passed into the handlers is bounded by
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
that gaurentees MTU response to be less than or equal to 512 bytes can
cause a buffer overflow when performing memcpy without length check.

Bug: 261068592
Test: No test since not affecting behavior
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)
Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
---
 stack/gatt/gatt_utils.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/stack/gatt/gatt_utils.c b/stack/gatt/gatt_utils.c
index 4582b5ae477..e56c1a4e793 100644
--- a/stack/gatt/gatt_utils.c
+++ b/stack/gatt/gatt_utils.c
@@ -2190,6 +2190,14 @@ void gatt_end_operation(tGATT_CLCB *p_clcb, tGATT_STATUS status, void *p_data)
             cb_data.att_value.handle   = p_clcb->s_handle;
             cb_data.att_value.len      = p_clcb->counter;
 
+            if (cb_data.att_value.len > GATT_MAX_ATTR_LEN)
+            {
+              GATT_TRACE_DEBUG ("%s", __func__);
+              GATT_TRACE_DEBUG ("Large cb_data.att_value, size=%d",
+                                           cb_data.att_value.len);
+              cb_data.att_value.len = GATT_MAX_ATTR_LEN;
+            }
+
             if (p_data && p_clcb->counter)
                 memcpy (cb_data.att_value.value, p_data, cb_data.att_value.len);
         }