From 4fb4348145827acee28c7bcb53c0a9e3a1983b40 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Tue, 3 Oct 2023 17:28:23 +0000
Subject: Fix an OOB bug in parse_gap_data

Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:98007dd44ef095cae8091b7a31b6c7456eb9db25)
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
---
 main/shim/utils.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/main/shim/utils.cc b/main/shim/utils.cc
index dcf1725be..9f18ddc4f 100644
--- a/main/shim/utils.cc
+++ b/main/shim/utils.cc
@@ -25,6 +25,10 @@ void parse_gap_data(const std::vector<uint8_t> &raw_data,
       hci::GapData gap_data;
       uint8_t len = raw_data[offset];
 
+      if (offset + len + 1 > raw_data.size()) {
+        break;
+      }
+
       auto begin = raw_data.begin() + offset;
       auto end = begin + len + 1;  // 1 byte for len
       auto data_copy = std::make_shared<std::vector<uint8_t>>(begin, end);
-- 
cgit v1.2.3