mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
59bf3b75c7
https://review.lineageos.org/c/LineageOS/android_frameworks_base/+/353117 https://review.lineageos.org/q/topic:Q_asb_2023-03 https://review.lineageos.org/q/topic:Q_asb_2023-04 https://review.lineageos.org/q/topic:Q_asb_2023-05 https://review.lineageos.org/q/topic:Q_asb_2023-06 https://review.lineageos.org/q/topic:Q_asb_2023-07 https://review.lineageos.org/q/topic:Q_asb_2023-08 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376560 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376561 https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376562 https://review.lineageos.org/q/topic:Q_asb_2023-09 https://review.lineageos.org/q/topic:Q_asb_2023-10 https://review.lineageos.org/q/topic:Q_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/376563 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_webp/+/376568 https://review.lineageos.org/q/topic:Q_asb_2023-12 https://review.lineageos.org/q/topic:Q_asb_2024-01 https://review.lineageos.org/q/topic:Q_asb_2024-02 https://review.lineageos.org/q/topic:Q_asb_2024-03 Signed-off-by: Tavi <tavi@divested.dev>
46 lines
1.9 KiB
Diff
46 lines
1.9 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: tyiu <tyiu@google.com>
|
|
Date: Tue, 28 Mar 2023 18:40:51 +0000
|
|
Subject: [PATCH] Fix gatt_end_operation buffer overflow
|
|
|
|
Added boundary check for gatt_end_operation to prevent writing out of
|
|
boundary.
|
|
|
|
Since response of the GATT server is handled in
|
|
gatt_client_handle_server_rsp() and gatt_process_read_rsp(), the maximum
|
|
lenth that can be passed into the handlers is bounded by
|
|
GATT_MAX_MTU_SIZE, which is set to 517, which is greater than
|
|
GATT_MAX_ATTR_LEN which is set to 512. The fact that there is no spec
|
|
that gaurentees MTU response to be less than or equal to 512 bytes can
|
|
cause a buffer overflow when performing memcpy without length check.
|
|
|
|
Bug: 261068592
|
|
Test: No test since not affecting behavior
|
|
Tag: #security
|
|
Ignore-AOSP-First: security
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:dd7298e982e4bbf0138a490562679c9a4a755200)
|
|
Merged-In: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
|
Change-Id: I49e2797cd9300ee4cd69f2c7fa5f0073db78b873
|
|
---
|
|
stack/gatt/gatt_utils.cc | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc
|
|
index 2bd424000..013011778 100644
|
|
--- a/stack/gatt/gatt_utils.cc
|
|
+++ b/stack/gatt/gatt_utils.cc
|
|
@@ -1198,6 +1198,13 @@ void gatt_end_operation(tGATT_CLCB* p_clcb, tGATT_STATUS status, void* p_data) {
|
|
cb_data.att_value.handle = p_clcb->s_handle;
|
|
cb_data.att_value.len = p_clcb->counter;
|
|
|
|
+ if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) {
|
|
+ LOG(WARNING) << __func__
|
|
+ << StringPrintf(" Large cb_data.att_value, size=%d",
|
|
+ cb_data.att_value.len);
|
|
+ cb_data.att_value.len = GATT_MAX_ATTR_LEN;
|
|
+ }
|
|
+
|
|
if (p_data && p_clcb->counter)
|
|
memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len);
|
|
}
|