diff options
author | Chris Manton <cmanton@google.com> | 2022-02-08 17:25:37 +0000 |
---|---|---|
committer | Presubmit Automerger Backend <android-build-presubmit-automerger-backend@system.gserviceaccount.com> | 2022-02-08 17:25:37 +0000 |
commit | 2ac0eae861fdb0489e9faac3506bd10daeb95f5b (patch) | |
tree | c052d3f7c4f539153a7192389e9355ac1b980eb6 | |
parent | 91510ff4beaa2206e7163aa58e626f5f267b364b (diff) | |
parent | 7f619cedc140b90faa290dbbc14d9c272fa4c6e6 (diff) | |
download | bt-2ac0eae861fdb0489e9faac3506bd10daeb95f5b.tar.gz |
[automerge] Security fix for potential OOB read in L2CAP 2p: 7f619cedc1
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/bt/+/16816306
Bug: 212694559
Change-Id: I364819543984ed92b4e62c93d4dcd966ee02d789
-rw-r--r-- | stack/l2cap/l2c_ble.cc | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/stack/l2cap/l2c_ble.cc b/stack/l2cap/l2c_ble.cc index b826dc19c..16454a5b0 100644 --- a/stack/l2cap/l2c_ble.cc +++ b/stack/l2cap/l2c_ble.cc @@ -811,6 +811,11 @@ void l2cble_process_sig_cmd(tL2C_LCB* p_lcb, uint8_t* p, uint16_t pkt_len) { case L2CAP_CMD_CREDIT_BASED_RECONFIG_RES: { uint16_t result; + if (p + sizeof(uint16_t) > p_pkt_end) { + android_errorWriteLog(0x534e4554, "212694559"); + LOG(ERROR) << "invalid read"; + return; + } STREAM_TO_UINT16(result, p); L2CAP_TRACE_DEBUG( |