From 97e84ea15a31d8df49003b19ac3ef5cd52ea95f5 Mon Sep 17 00:00:00 2001
From: Chris Manton <cmanton@google.com>
Date: Tue, 7 Dec 2021 18:57:48 -0800
Subject: Handle bogus multi value packet lengths

Bug: 206128341
Tag: #security
Test: gd/cert/run

Ignore-AOSP-First: Security fix
Change-Id: I7cbb601e87259c08796731de44f2b2eaba1e2894
---
 stack/gatt/gatt_cl.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc
index 8c3567d7a..cb5c13877 100644
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -745,7 +745,7 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
     rem_len -= 4;
     // Make sure we don't read past the remaining data even if the length says
     // we can Also need to watch comparing the int16_t with the uint16_t
-    value.len = std::min(rem_len, (int16_t)value.len);
+    value.len = std::min((uint16_t)rem_len, value.len);
     STREAM_TO_ARRAY(value.value, p, value.len);
     // Accounting
     rem_len -= value.len;
-- 
cgit v1.2.3