Handle bogus multi value packet lengths

Bug: 206128341 Tag: #security Test: gd/cert/run Ignore-AOSP-First: Security fix Change-Id: I7cbb601e87259c08796731de44f2b2eaba1e2894
author: Chris Manton <cmanton@google.com> 2021-12-07 18:57:48 -0800
committer: Chris Manton <cmanton@google.com> 2021-12-09 00:07:46 +0000
commit: 97e84ea15a31d8df49003b19ac3ef5cd52ea95f5 (patch)
tree: 8269c28bd85f30cc17767771215683359257d340
parent: b98e1de3305a88eef9bea6197b37a1e7974dd9c4 (diff)
download: bt-97e84ea15a31d8df49003b19ac3ef5cd52ea95f5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 8c3567d7a..cb5c13877 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -745,7 +745,7 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
     rem_len -= 4;
     // Make sure we don't read past the remaining data even if the length says
     // we can Also need to watch comparing the int16_t with the uint16_t
-    value.len = std::min(rem_len, (int16_t)value.len);
+    value.len = std::min((uint16_t)rem_len, value.len);
     STREAM_TO_ARRAY(value.value, p, value.len);
     // Accounting
     rem_len -= value.len;
author	Chris Manton <cmanton@google.com>	2021-12-07 18:57:48 -0800
committer	Chris Manton <cmanton@google.com>	2021-12-09 00:07:46 +0000
commit	97e84ea15a31d8df49003b19ac3ef5cd52ea95f5 (patch)
tree	8269c28bd85f30cc17767771215683359257d340
parent	b98e1de3305a88eef9bea6197b37a1e7974dd9c4 (diff)
download	bt-97e84ea15a31d8df49003b19ac3ef5cd52ea95f5.tar.gz