Google Git
Sign in
android / platform / packages / modules / Bluetooth / 57b823f4f758e2ef530909da07552b5aa80c6a7d^! / .
commit57b823f4f758e2ef530909da07552b5aa80c6a7d[log] [tgz]
authorHui Peng <phui@google.com>Sat Apr 29 18:04:37 2023 +0000
committerAndroid Build Coastguard Worker <android-build-coastguard-worker@google.com>Wed Dec 06 22:44:40 2023 +0000
treeebd9412c728f04db5574aa506dab234a8340986c
parent92cc886ffc40d9d89a5c66bb38a64b8a47f344f5 [diff]
Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd

1. The size of `p_src->attr_value.value` is dependent on
   `p_src->attr_value.len`. While copying `p_src->attr_value.value`,
   to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
   bytes, it may result in OOB read in `p_src->attr_value.value`;

2. As the `p_dest->attr_value.len` does not map the length of
   `p_dest->attr_value.value`, it may result in OOB read in
   attp_build_value_cmd;

Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368

diff --git a/system/btif/src/btif_gatt_util.cc b/system/btif/src/btif_gatt_util.cc
index 26dd790..db4d045 100644
--- a/system/btif/src/btif_gatt_util.cc
+++ b/system/btif/src/btif_gatt_util.cc

@@ -18,6 +18,8 @@
 
 #define LOG_TAG "bt_btif_gatt"
 
+#include <algorithm>
+
 #include "btif_gatt_util.h"
 
 #include <errno.h>
@@ -52,9 +54,9 @@
 void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
   p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
   p_dest->attr_value.handle = p_src->attr_value.handle;
-  p_dest->attr_value.len = p_src->attr_value.len;
+  p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
   p_dest->attr_value.offset = p_src->attr_value.offset;
-  memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+  memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
 }
 
 /*******************************************************************************