GattServcer: Check invalid offset Test: manual Bug: 143231677 Change-Id: I97e2c3ae15fccc482d07d8d621c455cc74900cfd Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8 (cherry picked from commit 7674de8fc890572471831ded8c80d3b52db5b60a)

commit: 6b7373a32e0a0628b497c1fbec5141ca47ef61b5 [log] [tgz]
author: Hansong Zhang <hsz@google.com> Thu Feb 13 11:40:44 2020 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Thu Mar 19 04:52:59 2020 +0000
tree: e586ea9cd998922f1a6e6eebd0255bc076e8b159
parent: 89321d6f0d47724dc7f0c17f7d7302d1fe75086b [diff]
diff --git a/service/gatt_server.cc b/service/gatt_server.cc
index 52fd1ed..f46927d 100644
--- a/service/gatt_server.cc
+++ b/service/gatt_server.cc

@@ -18,6 +18,7 @@
 
 #include <base/logging.h>
 
+#include "osi/include/log.h"
 #include "service/logging_helpers.h"
 #include "stack/include/bt_types.h"
 
@@ -116,6 +117,12 @@
     return false;
   }
 
+  if (offset < 0) {
+    android_errorWriteLog(0x534e4554, "143231677");
+    LOG(ERROR) << "Offset is less than 0 offset: " << offset;
+    return false;
+  }
+
   if (value.size() + offset > BTGATT_MAX_ATTR_LEN) {
     LOG(ERROR) << "Value is too large";
     return false;
commit	6b7373a32e0a0628b497c1fbec5141ca47ef61b5	[log] [tgz]
author	Hansong Zhang <hsz@google.com>	Thu Feb 13 11:40:44 2020 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Thu Mar 19 04:52:59 2020 +0000
tree	e586ea9cd998922f1a6e6eebd0255bc076e8b159
parent	89321d6f0d47724dc7f0c17f7d7302d1fe75086b [diff]