GattServcer: Check invalid offset Test: manual Bug: 143231677 Merged-In: I0396380f431cdb7f91c78db6de9043ea0f373dfe Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8 Change-Id: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8

commit: 30a2860ed19866159a0870c57a94ad8df0b1a683 [log] [tgz]
author: Hansong Zhang <hsz@google.com> Thu Feb 13 11:40:44 2020 -0800
committer: Hansong Zhang <hsz@google.com> Tue Mar 10 21:04:32 2020 +0000
tree: 54e57718076ca0b36fe27476ca262231904846c8
parent: 2039ca38e97c8da976b4e4850c6bdec706cda809 [diff]
diff --git a/service/gatt_server.cc b/service/gatt_server.cc
index e4a6ec5..016c132 100644
--- a/service/gatt_server.cc
+++ b/service/gatt_server.cc

@@ -16,6 +16,7 @@
 
 #include "service/gatt_server.h"
 
+#include "osi/include/log.h"
 #include "service/common/bluetooth/util/address_helper.h"
 #include "service/logging_helpers.h"
 
@@ -126,6 +127,12 @@
     return false;
   }
 
+  if (offset < 0) {
+    android_errorWriteLog(0x534e4554, "143231677");
+    LOG(ERROR) << "Offset is less than 0 offset: " << offset;
+    return false;
+  }
+
   if (value.size() + offset > BTGATT_MAX_ATTR_LEN) {
     LOG(ERROR) << "Value is too large";
     return false;
commit	30a2860ed19866159a0870c57a94ad8df0b1a683	[log] [tgz]
author	Hansong Zhang <hsz@google.com>	Thu Feb 13 11:40:44 2020 -0800
committer	Hansong Zhang <hsz@google.com>	Tue Mar 10 21:04:32 2020 +0000
tree	54e57718076ca0b36fe27476ca262231904846c8
parent	2039ca38e97c8da976b4e4850c6bdec706cda809 [diff]