Make sure server response doesn't exceed maximum allowable length
Bug: 78787521
Test: try sending response bigger than BTGATT_MAX_ATTR_LEN
Change-Id: I51b12483cced7e4c0d967acf5bb42559ef169fe7
Merged-In: I51b12483cced7e4c0d967acf5bb42559ef169fe7
(cherry picked from commit 0f34ae9398ed017465c0cac7387be9e6951c07be)
(cherry picked from commit 8b69bbea4e565814f142ecb0199b002069807f44)
diff --git a/jni/com_android_bluetooth_gatt.cpp b/jni/com_android_bluetooth_gatt.cpp
index c9f28a7..ca31749 100644
--- a/jni/com_android_bluetooth_gatt.cpp
+++ b/jni/com_android_bluetooth_gatt.cpp
@@ -1622,7 +1622,12 @@
if (val != NULL)
{
- response.attr_value.len = (uint16_t) env->GetArrayLength(val);
+ if (env->GetArrayLength(val) < BTGATT_MAX_ATTR_LEN) {
+ response.attr_value.len = (uint16_t)env->GetArrayLength(val);
+ } else {
+ android_errorWriteLog(0x534e4554, "78787521");
+ response.attr_value.len = BTGATT_MAX_ATTR_LEN;
+ }
jbyte* array = env->GetByteArrayElements(val, 0);
for (int i = 0; i != response.attr_value.len; ++i)