diff options
author | Hui Peng <phui@google.com> | 2023-01-02 23:06:59 +0000 |
---|---|---|
committer | Hui Peng <phui@google.com> | 2023-01-05 23:38:36 +0000 |
commit | 4e9686af82f586ed6131e1096e1ac751c744643f (patch) | |
tree | 1569abe912f5a938f5d6c6812820e1f54c0671f7 | |
parent | a710300216be4a86373a65c6a685aeef8509cfa7 (diff) | |
download | bt-4e9686af82f586ed6131e1096e1ac751c744643f.tar.gz |
Fix an OOB bug in bta_hh_co_get_rpt_rsp
This is a backport of I13be3103903631de4a0fa2080151bc89884c65c9
Bug: 259675705
Test: manual
Tag: #security
Ignore-AOSP-First: security
Change-Id: Ifff9e18b4e52d84ce06a480585663f53d8c0f0e8
-rw-r--r-- | btif/co/bta_hh_co.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc index 5a7cad845..ca70e84a7 100644 --- a/btif/co/bta_hh_co.cc +++ b/btif/co/bta_hh_co.cc @@ -571,22 +571,23 @@ void bta_hh_co_get_rpt_rsp(uint8_t dev_handle, uint8_t status, uint8_t* p_rpt, } // Send the HID report to the kernel. - if (p_dev->fd >= 0 && p_dev->get_rpt_snt--) { + if (p_dev->fd >= 0 && p_dev->get_rpt_snt > 0 && p_dev->get_rpt_snt--) { uint32_t* get_rpt_id = (uint32_t*)fixed_queue_dequeue(p_dev->get_rpt_id_queue); memset(&ev, 0, sizeof(ev)); ev.type = UHID_FEATURE_ANSWER; ev.u.feature_answer.id = *get_rpt_id; ev.u.feature_answer.err = status; - ev.u.feature_answer.size = len; + ev.u.feature_answer.size = len - GET_RPT_RSP_OFFSET; osi_free(get_rpt_id); - if (len > 0) { - if (len > UHID_DATA_MAX) { + if (len > GET_RPT_RSP_OFFSET) { + if (len - GET_RPT_RSP_OFFSET > UHID_DATA_MAX) { APPL_TRACE_WARNING("%s: Report size greater than allowed size", __func__); return; } - memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, len); + memcpy(ev.u.feature_answer.data, p_rpt + GET_RPT_RSP_OFFSET, + len - GET_RPT_RSP_OFFSET); uhid_write(p_dev->fd, &ev); } } |