Fix OOB read in btm_ble_periodic_av_sync_lost

btm_ble_periodic_av_sync_lost internally calls the function
btm_ble_get_psync_index_from_handle, which polls the internal periodic
sync buffer and returns a matching index if one exists.  If no matching
handle is found, it returns MAX_SYNC_TRANSACTION.

However, here the calling function lacks the check for this case present
in similar functions.  If no handle is matched, it will attempt to index
the buffer with MAX_SYNC_TRANSACTION, which will overrun it by a single
width and lead to OOB access.

Add handling for this case.

Bug: 273502002
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm, validated
against researcher POC
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from
Merged-In: I2e1e95b277f81b2668f721a7693df50841968ec5
Change-Id: I2e1e95b277f81b2668f721a7693df50841968ec5
diff --git a/system/stack/btm/ b/system/stack/btm/
index c2fda91..b4e52f6 100644
--- a/system/stack/btm/
+++ b/system/stack/btm/
@@ -1165,6 +1165,10 @@
   LOG_DEBUG("[PSync]: sync_handle = %d", sync_handle);
   int index = btm_ble_get_psync_index_from_handle(sync_handle);
+  if (index == MAX_SYNC_TRANSACTION) {
+    LOG_ERROR("[PSync]: index not found for handle %u", sync_handle);
+    return;
+  }
   tBTM_BLE_PERIODIC_SYNC* ps = &btm_ble_pa_sync_cb.p_sync[index];