mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
082bc48c32
https://review.lineageos.org/q/topic:P_asb_2022-05 https://review.lineageos.org/q/topic:P_asb_2022-06 https://review.lineageos.org/q/topic:P_asb_2022-07 https://review.lineageos.org/q/topic:P_asb_2022-08 https://review.lineageos.org/q/topic:P_asb_2022-09 https://review.lineageos.org/q/topic:P_asb_2022-10 https://review.lineageos.org/q/topic:P_asb_2022-11 https://review.lineageos.org/q/topic:P_asb_2022-12 https://review.lineageos.org/q/topic:P_asb_2023-01 https://review.lineageos.org/q/topic:P_asb_2023-02 https://review.lineageos.org/q/topic:P_asb_2023-03 https://review.lineageos.org/q/topic:P_asb_2023-04 https://review.lineageos.org/q/topic:P_asb_2023-05 https://review.lineageos.org/q/topic:P_asb_2023-06 https://review.lineageos.org/q/topic:P_asb_2023-07 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/361250 https://review.lineageos.org/q/topic:P_asb_2023-08 accounted for via manifest change: https://review.lineageos.org/c/LineageOS/android_external_freetype/+/364606 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/365328 https://review.lineageos.org/q/topic:P_asb_2023-09 https://review.lineageos.org/q/topic:P_asb_2023-10 https://review.lineageos.org/q/topic:P_asb_2023-11 accounted for via patches: https://review.lineageos.org/c/LineageOS/android_system_ca-certificates/+/374916 https://review.lineageos.org/q/topic:P_asb_2023-12 https://review.lineageos.org/q/topic:P_asb_2024-01 https://review.lineageos.org/q/topic:P_asb_2024-02 https://review.lineageos.org/q/topic:P_asb_2024-03 https://review.lineageos.org/q/topic:P_asb_2024-04 Signed-off-by: Tavi <tavi@divested.dev>
42 lines
1.5 KiB
Diff
42 lines
1.5 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Hui Peng <phui@google.com>
|
|
Date: Wed, 28 Dec 2022 00:32:37 +0000
|
|
Subject: [PATCH] Fix an OOB Write bug in gatt_check_write_long_terminate
|
|
|
|
this is the backport of Ifffa2c7f679c4ef72dbdb6b1f3378ca506680084
|
|
|
|
Bug: 258652631
|
|
Test: manual
|
|
Tag: #security
|
|
Ignore-AOSP-First: security
|
|
Change-Id: Ic84122f07cbc198c676d366e39606621b7cb4e66
|
|
(cherry picked from commit 9b17660bfd6f0f41cb9400ce0236d76c83605e03)
|
|
Merged-In: Ic84122f07cbc198c676d366e39606621b7cb4e66
|
|
---
|
|
stack/gatt/gatt_cl.cc | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
|
|
index 46572dd06..f8d5bab92 100644
|
|
--- a/stack/gatt/gatt_cl.cc
|
|
+++ b/stack/gatt/gatt_cl.cc
|
|
@@ -573,7 +573,8 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
|
LOG(ERROR) << StringPrintf("value resp op_code = %s len = %d",
|
|
gatt_dbg_op_name(op_code), len);
|
|
|
|
- if (len < GATT_PREP_WRITE_RSP_MIN_LEN) {
|
|
+ if (len < GATT_PREP_WRITE_RSP_MIN_LEN ||
|
|
+ len > GATT_PREP_WRITE_RSP_MIN_LEN + sizeof(value.value)) {
|
|
LOG(ERROR) << "illegal prepare write response length, discard";
|
|
gatt_end_operation(p_clcb, GATT_INVALID_PDU, &value);
|
|
return;
|
|
@@ -582,7 +583,7 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,
|
|
STREAM_TO_UINT16(value.handle, p);
|
|
STREAM_TO_UINT16(value.offset, p);
|
|
|
|
- value.len = len - 4;
|
|
+ value.len = len - GATT_PREP_WRITE_RSP_MIN_LEN;
|
|
|
|
memcpy(value.value, p, value.len);
|
|
|