Fix an OOB bug in parse_gap_data

Bug: 277590580 bug: 275553827 Test: atest net_test_main_shim Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:98007dd44ef095cae8091b7a31b6c7456eb9db25) Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
author: Hui Peng <phui@google.com> 2023-10-03 17:28:23 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-10-23 20:51:11 +0000
commit: 43cb2b71f0faa90a60e19a88210166a66d92e43c (patch)
tree: 1019fe2834031b13a0e3b8b9e3064a6f090a553b
parent: ed2c670f77bc9c0de5894f0f381d7dd54a620cc6 (diff)
download: bt-43cb2b71f0faa90a60e19a88210166a66d92e43c.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/main/shim/utils.cc b/main/shim/utils.cc
index dcf1725be..9f18ddc4f 100644
--- a/main/shim/utils.cc
+++ b/main/shim/utils.cc
@@ -25,6 +25,10 @@ void parse_gap_data(const std::vector<uint8_t> &raw_data,
       hci::GapData gap_data;
       uint8_t len = raw_data[offset];
 
+      if (offset + len + 1 > raw_data.size()) {
+        break;
+      }
+
       auto begin = raw_data.begin() + offset;
       auto end = begin + len + 1;  // 1 byte for len
       auto data_copy = std::make_shared<std::vector<uint8_t>>(begin, end);
author	Hui Peng <phui@google.com>	2023-10-03 17:28:23 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-10-23 20:51:11 +0000
commit	43cb2b71f0faa90a60e19a88210166a66d92e43c (patch)
tree	1019fe2834031b13a0e3b8b9e3064a6f090a553b
parent	ed2c670f77bc9c0de5894f0f381d7dd54a620cc6 (diff)
download	bt-43cb2b71f0faa90a60e19a88210166a66d92e43c.tar.gz