Fix potential stack overflow caused by integer overflowandroid-9.0.0_r59 android-9.0.0_r58 android-9.0.0_r57 android-9.0.0_r56 security-pi-release

Bug: 151155194 Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca (cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)
author: Jakub Pawlowski <jpawlowski@google.com> 2020-03-20 15:24:00 +0100
committer: Anis Assi <anisassi@google.com> 2020-04-09 13:46:53 -0700
commit: 73c22e6cdbfc5d099985c70edf9670686cc331a9 (patch)
tree: a0aac2046c82834a6173dd8dc285614ca48e095d
parent: f46a33622526bfc6f9db624223426517836f6098 (diff)
download: bt-security-pi-release.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/stack/smp/smp_cmac.cc b/stack/smp/smp_cmac.cc
index 42f91a0c4..30ccef974 100644
--- a/stack/smp/smp_cmac.cc
+++ b/stack/smp/smp_cmac.cc
@@ -278,7 +278,8 @@ static bool cmac_generate_subkey(BT_OCTET16 key) {
  ******************************************************************************/
 bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length,
                               uint16_t tlen, uint8_t* p_signature) {
-  uint16_t len, diff;
+  uint32_t len;
+  uint16_t diff;
   uint16_t n = (length + BT_OCTET16_LEN - 1) /
                BT_OCTET16_LEN; /* n is number of rounds */
   bool ret = false;
author	Jakub Pawlowski <jpawlowski@google.com>	2020-03-20 15:24:00 +0100
committer	Anis Assi <anisassi@google.com>	2020-04-09 13:46:53 -0700
commit	73c22e6cdbfc5d099985c70edf9670686cc331a9 (patch)
tree	a0aac2046c82834a6173dd8dc285614ca48e095d
parent	f46a33622526bfc6f9db624223426517836f6098 (diff)
download	bt-security-pi-release.tar.gz