DivestOS/Patches/LineageOS-14.1/android_system_bt/345527.patch
Tad 63cbd1f483
14.1 December ASB, thanks to @syphyr
Signed-off-by: Tad <tad@spotco.us>
2022-12-10 20:17:48 -05:00

34 lines
1.2 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Ted Wang <tedwang@google.com>
Date: Thu, 4 Aug 2022 09:41:24 +0800
Subject: [PATCH] Add length check when copy AVDTP packet
Bug: 232023771
Test: make
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
(cherry picked from commit 07cc1fe9b4523f95c13c247a795bdf0b36a1aa4f)
Merged-In: I68dd78c747eeafee5190dc56d7c71e9eeed08a5b
---
stack/avdt/avdt_msg.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/stack/avdt/avdt_msg.c b/stack/avdt/avdt_msg.c
index 91a58403e..65d4485e7 100644
--- a/stack/avdt/avdt_msg.c
+++ b/stack/avdt/avdt_msg.c
@@ -1411,6 +1411,11 @@ BT_HDR *avdt_msg_asmbl(tAVDT_CCB *p_ccb, BT_HDR *p_buf)
* would have allocated smaller buffer.
*/
p_ccb->p_rx_msg = (BT_HDR *)osi_malloc(BT_DEFAULT_BUFFER_SIZE);
+ if (sizeof(BT_HDR) + p_buf->offset + p_buf->len > BT_DEFAULT_BUFFER_SIZE)
+ {
+ android_errorWriteLog(0x534e4554, "232023771");
+ return NULL;
+ }
memcpy(p_ccb->p_rx_msg, p_buf,
sizeof(BT_HDR) + p_buf->offset + p_buf->len);