AdapterService: Check the PIN code length before using
The length is assigned by the framework. We should be better to check
again before using, and dropped any unexcepted input.
Bug: 139287605
Test: PoC
Change-Id: Ie2dd01e0b192e7ed1fe4b464618ddfa415dbf15c
Merged-In: Ie2dd01e0b192e7ed1fe4b464618ddfa415dbf15c
(cherry picked from commit da3422f1987b791c841698098861f0af23136b7c)
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 0e56e2c..0301107 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1709,6 +1709,11 @@
return false;
}
+ if (pinCode.length != len) {
+ EventLog.writeEvent(0x534e4554, "139287605", -1, "PIN code length mismatch");
+ return false;
+ }
+
byte[] addr = Utils.getBytesFromAddress(device.getAddress());
return pinReplyNative(addr, accept, len, pinCode);
}
@@ -1720,6 +1725,11 @@
return false;
}
+ if (passkey.length != len) {
+ EventLog.writeEvent(0x534e4554, "139287605", -1, "Passkey length mismatch");
+ return false;
+ }
+
byte[] addr = Utils.getBytesFromAddress(device.getAddress());
return sspReplyNative(addr, AbstractionLayer.BT_SSP_VARIANT_PASSKEY_ENTRY, accept,
Utils.byteArrayToInt(passkey));