diff options
author | Chris Manton <cmanton@google.com> | 2021-12-07 18:57:48 -0800 |
---|---|---|
committer | Chris Manton <cmanton@google.com> | 2021-12-09 00:07:46 +0000 |
commit | 97e84ea15a31d8df49003b19ac3ef5cd52ea95f5 (patch) | |
tree | 8269c28bd85f30cc17767771215683359257d340 | |
parent | b98e1de3305a88eef9bea6197b37a1e7974dd9c4 (diff) | |
download | bt-97e84ea15a31d8df49003b19ac3ef5cd52ea95f5.tar.gz |
Handle bogus multi value packet lengths
Bug: 206128341
Tag: #security
Test: gd/cert/run
Ignore-AOSP-First: Security fix
Change-Id: I7cbb601e87259c08796731de44f2b2eaba1e2894
-rw-r--r-- | stack/gatt/gatt_cl.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc index 8c3567d7a..cb5c13877 100644 --- a/stack/gatt/gatt_cl.cc +++ b/stack/gatt/gatt_cl.cc @@ -745,7 +745,7 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code, rem_len -= 4; // Make sure we don't read past the remaining data even if the length says // we can Also need to watch comparing the int16_t with the uint16_t - value.len = std::min(rem_len, (int16_t)value.len); + value.len = std::min((uint16_t)rem_len, value.len); STREAM_TO_ARRAY(value.value, p, value.len); // Accounting rem_len -= value.len; |