mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-14 18:34:30 -05:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
30 lines
1.0 KiB
Diff
30 lines
1.0 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: balakrishna <quic_kunthumu@quicinc.com>
|
|
Date: Wed, 24 May 2023 13:28:21 +0530
|
|
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
|
|
|
|
Root cause:
|
|
if the length of "pin_code" is greater than 16,
|
|
an OOBW will be triggered due to a missing bounds check.
|
|
|
|
Fix:
|
|
Check is added to avoid Out of Bound Write.
|
|
|
|
Change-Id: Ie63019ab98e0b1896dcf37f6dcbd61b810477193
|
|
---
|
|
btif/src/bluetooth.cc | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
|
|
index b1d0c9a6f..30985ded3 100644
|
|
--- a/btif/src/bluetooth.cc
|
|
+++ b/btif/src/bluetooth.cc
|
|
@@ -292,6 +292,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
|
|
bt_pin_code_t tmp_pin_code;
|
|
/* sanity check */
|
|
if (!interface_ready()) return BT_STATUS_NOT_READY;
|
|
+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
|
|
|
|
memcpy(&tmp_pin_code, pin_code, pin_len);
|
|
return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);
|