Fix an OOB bug in parse_gap_data

Bug: 277590580 bug: 275553827 Test: atest net_test_main_shim Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:98007dd44ef095cae8091b7a31b6c7456eb9db25) Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
author: Hui Peng <phui@google.com> 2023-10-03 17:28:23 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-10-23 17:59:49 +0000
commit: 4fb4348145827acee28c7bcb53c0a9e3a1983b40 (patch)
tree: 981a1856f00c82be14215b9f27d92d1592f4ec16
parent: be715fe6498f0c56163e8f50515b2fdd6ffeb0aa (diff)
download: bt-4fb4348145827acee28c7bcb53c0a9e3a1983b40.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/main/shim/utils.cc b/main/shim/utils.cc
index dcf1725be..9f18ddc4f 100644
--- a/main/shim/utils.cc
+++ b/main/shim/utils.cc
@@ -25,6 +25,10 @@ void parse_gap_data(const std::vector<uint8_t> &raw_data,
       hci::GapData gap_data;
       uint8_t len = raw_data[offset];
 
+      if (offset + len + 1 > raw_data.size()) {
+        break;
+      }
+
       auto begin = raw_data.begin() + offset;
       auto end = begin + len + 1;  // 1 byte for len
       auto data_copy = std::make_shared<std::vector<uint8_t>>(begin, end);
author	Hui Peng <phui@google.com>	2023-10-03 17:28:23 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-10-23 17:59:49 +0000
commit	4fb4348145827acee28c7bcb53c0a9e3a1983b40 (patch)
tree	981a1856f00c82be14215b9f27d92d1592f4ec16
parent	be715fe6498f0c56163e8f50515b2fdd6ffeb0aa (diff)
download	bt-4fb4348145827acee28c7bcb53c0a9e3a1983b40.tar.gz