btm: fixing oob write in multi-adv SetData.
Fixing size checks when searching to fill in the TX_Power data section.
Bug: b/123292010
Test: ./test/run_unit_tests.sh
Change-Id: If6e7aa40a1a08b098e71ca0ccc8ef66f488571fb
(cherry picked from commit d75b102b125a9b788ddb3dba5e2e56bbc8a3faeb)
diff --git a/stack/btm/btm_ble_multi_adv.cc b/stack/btm/btm_ble_multi_adv.cc
index 22d2e17..b425c09 100644
--- a/stack/btm/btm_ble_multi_adv.cc
+++ b/stack/btm/btm_ble_multi_adv.cc
@@ -728,16 +728,13 @@
data.insert(data.begin(), flags.begin(), flags.end());
}
- // Find and fill TX Power with the correct value
- if (data.size()) {
- size_t i = 0;
- while (i < data.size()) {
- uint8_t type = data[i + 1];
- if (type == HCI_EIR_TX_POWER_LEVEL_TYPE) {
- data[i + 2] = adv_inst[inst_id].tx_power;
- }
- i += data[i] + 1;
+ // Find and fill TX Power with the correct value.
+ // The TX Power section is a 3 byte section.
+ for (size_t i = 0; (i + 2) < data.size();) {
+ if (data[i + 1] == HCI_EIR_TX_POWER_LEVEL_TYPE) {
+ data[i + 2] = adv_inst[inst_id].tx_power;
}
+ i += data[i] + 1;
}
VLOG(1) << "data is: " << base::HexEncode(data.data(), data.size());
