Make sure server response doesn't exceed maximum allowable length Bug: 78787521 Test: try sending response bigger than BTGATT_MAX_ATTR_LEN Change-Id: I51b12483cced7e4c0d967acf5bb42559ef169fe7 Merged-In: I51b12483cced7e4c0d967acf5bb42559ef169fe7 (cherry picked from commit 0f34ae9398ed017465c0cac7387be9e6951c07be) (cherry picked from commit 8b69bbea4e565814f142ecb0199b002069807f44)

commit: 6ac5aea635d3a7ea363bd6ddefaf46dcdb05e2a8 [log] [tgz]
author: Jakub Pawlowski <jpawlowski@google.com> Thu May 10 00:16:13 2018 -0700
committer: hamzeh <hamzeh@google.com> Thu May 17 08:02:31 2018 -0700
tree: 99debfd1cc9d2b7f6342193e98f6a30453f3e27e
parent: 1a15c34a243cceeca68d8f7c1a99f6114c52db7c [diff]
diff --git a/jni/com_android_bluetooth_gatt.cpp b/jni/com_android_bluetooth_gatt.cpp
index c9f28a7..ca31749 100644
--- a/jni/com_android_bluetooth_gatt.cpp
+++ b/jni/com_android_bluetooth_gatt.cpp

@@ -1622,7 +1622,12 @@
 
     if (val != NULL)
     {
-        response.attr_value.len = (uint16_t) env->GetArrayLength(val);
+        if (env->GetArrayLength(val) < BTGATT_MAX_ATTR_LEN) {
+            response.attr_value.len = (uint16_t)env->GetArrayLength(val);
+        } else {
+            android_errorWriteLog(0x534e4554, "78787521");
+            response.attr_value.len = BTGATT_MAX_ATTR_LEN;
+        }
         jbyte* array = env->GetByteArrayElements(val, 0);
 
         for (int i = 0; i != response.attr_value.len; ++i)
commit	6ac5aea635d3a7ea363bd6ddefaf46dcdb05e2a8	[log] [tgz]
author	Jakub Pawlowski <jpawlowski@google.com>	Thu May 10 00:16:13 2018 -0700
committer	hamzeh <hamzeh@google.com>	Thu May 17 08:02:31 2018 -0700
tree	99debfd1cc9d2b7f6342193e98f6a30453f3e27e
parent	1a15c34a243cceeca68d8f7c1a99f6114c52db7c [diff]