commit | 30a2860ed19866159a0870c57a94ad8df0b1a683 | [log] [tgz] |
---|---|---|
author | Hansong Zhang <hsz@google.com> | Thu Feb 13 11:40:44 2020 -0800 |
committer | Hansong Zhang <hsz@google.com> | Tue Mar 10 21:04:32 2020 +0000 |
tree | 54e57718076ca0b36fe27476ca262231904846c8 | |
parent | 2039ca38e97c8da976b4e4850c6bdec706cda809 [diff] |
GattServcer: Check invalid offset Test: manual Bug: 143231677 Merged-In: I0396380f431cdb7f91c78db6de9043ea0f373dfe Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8 Change-Id: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
diff --git a/service/gatt_server.cc b/service/gatt_server.cc index e4a6ec5..016c132 100644 --- a/service/gatt_server.cc +++ b/service/gatt_server.cc
@@ -16,6 +16,7 @@ #include "service/gatt_server.h" +#include "osi/include/log.h" #include "service/common/bluetooth/util/address_helper.h" #include "service/logging_helpers.h" @@ -126,6 +127,12 @@ return false; } + if (offset < 0) { + android_errorWriteLog(0x534e4554, "143231677"); + LOG(ERROR) << "Offset is less than 0 offset: " << offset; + return false; + } + if (value.size() + offset > BTGATT_MAX_ATTR_LEN) { LOG(ERROR) << "Value is too large"; return false;