diff options
author | Hui Peng <phui@google.com> | 2023-10-03 17:28:23 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-10-23 17:59:49 +0000 |
commit | 4fb4348145827acee28c7bcb53c0a9e3a1983b40 (patch) | |
tree | 981a1856f00c82be14215b9f27d92d1592f4ec16 | |
parent | be715fe6498f0c56163e8f50515b2fdd6ffeb0aa (diff) | |
download | bt-4fb4348145827acee28c7bcb53c0a9e3a1983b40.tar.gz |
Fix an OOB bug in parse_gap_data
Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:98007dd44ef095cae8091b7a31b6c7456eb9db25)
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
-rw-r--r-- | main/shim/utils.cc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/main/shim/utils.cc b/main/shim/utils.cc index dcf1725be..9f18ddc4f 100644 --- a/main/shim/utils.cc +++ b/main/shim/utils.cc @@ -25,6 +25,10 @@ void parse_gap_data(const std::vector<uint8_t> &raw_data, hci::GapData gap_data; uint8_t len = raw_data[offset]; + if (offset + len + 1 > raw_data.size()) { + break; + } + auto begin = raw_data.begin() + offset; auto end = begin + len + 1; // 1 byte for len auto data_copy = std::make_shared<std::vector<uint8_t>>(begin, end); |