Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-07-01 09:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
af360bc9ea
DivestOS/Patches/LineageOS-20.0/ASB-2023-10/bluetooth-01.patch
Tad af360bc9ea
20.0: October ASB picks 
wget c873988898.patch -O telecomm-01.patch
wget 0fb5786dbf.patch -O mediaprovider-01.patch
wget 1a4b9ef510.patch -O wifi-01.patch
wget 364a1d9962.patch -O bluetooth-01.patch
wget 87a06448b9.patch -O settings-01.patch
wget aaba724a68.patch -O settings-02.patch
wget 507304e1f5.patch -O native-01.patch
wget 89489ff5dd.patch -O base-01.patch
wget d1765c4715.patch -O base-02.patch
wget cbb1a0ecd6.patch -O base-03.patch
wget 4725772c0b.patch -O base-04.patch
wget 19747f6923.patch -O base-05.patch
wget e7a1aa9ed0.patch -O base-06.patch
wget 922a7860b1.patch -O base-07.patch
wget ed183ed912.patch -O base-08.patch
wget c6fbe1330a.patch -O base-09.patch
wget 9141cac175.patch -O base-10.patch
wget 41235bcc67.patch -O av-01.patch
wget a89f704701.patch -O av-02.patch
wget 6d7cd80d77.patch -O av-03.patch
wget 75fc175a08.patch -O av-04.patch
wget b023ec300f.patch -O av-05.patch
wget c8117d1539.patch -O av-06.patch
wget f06d23d824.patch -O av-07.patch
wget 9c7408ab07.patch -O av-08.patch
wget cfbfcefb3c.patch -O launcher-01.patch
wget 4a27a7f162.patch -O libxml-01.patch

Signed-off-by: Tad <tad@spotco.us>
2023-10-03 14:42:00 -04:00

91 lines
2.9 KiB
Diff
Raw Blame History

From 364a1d99624e8dca6501d98166efbb8061362970 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 16 May 2023 02:09:38 +0000
Subject: [PATCH] Fix an integer underflow in build_read_multi_rsp
When p_buf->len is mtu - 1 and p_cmd->multi_req.variable_len
evaluates to true, integer underflow is triggered
in the following line, resulting OOB access.
```
len = p_rsp->attr_value.len - (total_len - mtu);
```
Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
---
system/stack/gatt/gatt_sr.cc | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc
index f2a3e22414..ce00ef7428 100644
--- a/system/stack/gatt/gatt_sr.cc
+++ b/system/stack/gatt/gatt_sr.cc
@@ -21,6 +21,7 @@
* this file contains the GATT server functions
*
******************************************************************************/
+#include <algorithm>
#include <string.h>
#include "bt_target.h"
@@ -178,37 +179,38 @@ static void build_read_multi_rsp(tGATT_SR_CMD* p_cmd, uint16_t mtu) {
}
if (p_rsp != NULL) {
- total_len = (p_buf->len + p_rsp->attr_value.len);
+ total_len = p_buf->len;
if (p_cmd->multi_req.variable_len) {
total_len += 2;
}
if (total_len > mtu) {
- /* just send the partial response for the overflow case */
- len = p_rsp->attr_value.len - (total_len - mtu);
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+ if (len == 0) {
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ if (len < p_rsp->attr_value.len) {
is_overflow = true;
VLOG(1) << StringPrintf(
"multi read overflow available len=%zu val_len=%d", len,
p_rsp->attr_value.len);
- } else {
- len = p_rsp->attr_value.len;
}
if (p_cmd->multi_req.variable_len) {
- UINT16_TO_STREAM(p, len);
+ UINT16_TO_STREAM(p, (uint16_t) len);
p_buf->len += 2;
}
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
- // check for possible integer overflow
- if (p_buf->len + len <= UINT16_MAX) {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow) p += len;
- p_buf->len += len;
- } else {
- p_cmd->status = GATT_NOT_FOUND;
- break;
- }
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+ p_buf->len += (uint16_t) len;
} else {
p_cmd->status = GATT_NOT_FOUND;
break;
Reference in New Issue View Git Blame Copy Permalink