diff options
author | Jakub Pawlowski <jpawlowski@google.com> | 2020-03-20 15:24:00 +0100 |
---|---|---|
committer | Anis Assi <anisassi@google.com> | 2020-04-09 13:46:53 -0700 |
commit | 73c22e6cdbfc5d099985c70edf9670686cc331a9 (patch) | |
tree | a0aac2046c82834a6173dd8dc285614ca48e095d | |
parent | f46a33622526bfc6f9db624223426517836f6098 (diff) | |
download | bt-security-pi-release.tar.gz |
Fix potential stack overflow caused by integer overflowandroid-9.0.0_r59android-9.0.0_r58android-9.0.0_r57android-9.0.0_r56security-pi-release
Bug: 151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
(cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)
-rw-r--r-- | stack/smp/smp_cmac.cc | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/stack/smp/smp_cmac.cc b/stack/smp/smp_cmac.cc index 42f91a0c4..30ccef974 100644 --- a/stack/smp/smp_cmac.cc +++ b/stack/smp/smp_cmac.cc @@ -278,7 +278,8 @@ static bool cmac_generate_subkey(BT_OCTET16 key) { ******************************************************************************/ bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length, uint16_t tlen, uint8_t* p_signature) { - uint16_t len, diff; + uint32_t len; + uint16_t diff; uint16_t n = (length + BT_OCTET16_LEN - 1) / BT_OCTET16_LEN; /* n is number of rounds */ bool ret = false; |