DivestOS/Patches/LineageOS-15.1/android_system_bt/377030.patch
Tad 0310c702c7
15/16: two missing system/bt fixes
Signed-off-by: Tad <tad@spotco.us>
2023-12-12 13:58:25 -05:00

31 lines
1.1 KiB
Diff

From 2b22ff4cc93a2824e14970d212493245362c78d1 Mon Sep 17 00:00:00 2001
From: balakrishna <quic_kunthumu@quicinc.com>
Date: Wed, 24 May 2023 13:28:21 +0530
Subject: [PATCH] Fix OOB Write in pin_reply in bluetooth.cc
Root cause:
if the length of "pin_code" is greater than 16,
an OOBW will be triggered due to a missing bounds check.
Fix:
Check is added to avoid Out of Bound Write.
CRs-Fixed: 3507292
Change-Id: I15a1eae59b17f633e29180a01676c260189b8353
---
btif/src/bluetooth.cc | 1 +
1 file changed, 1 insertion(+)
diff --git a/btif/src/bluetooth.cc b/btif/src/bluetooth.cc
index b01a4aa30..609ef7a98 100644
--- a/btif/src/bluetooth.cc
+++ b/btif/src/bluetooth.cc
@@ -327,6 +327,7 @@ static int pin_reply(const RawAddress* bd_addr, uint8_t accept, uint8_t pin_len,
bt_pin_code_t tmp_pin_code;
/* sanity check */
if (interface_ready() == false) return BT_STATUS_NOT_READY;
+ if (pin_code == nullptr || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL;
memcpy(&tmp_pin_code, pin_code, pin_len);
return btif_dm_pin_reply(bd_addr, accept, pin_len, &tmp_pin_code);