Fix out of bond write in gatt_db
Cherry-pick of ag/17776270 in newly packages/modules/Bluetooth
Fix: 228078096
Test: Checked in security report
Ignore-AOSP-First: Security fix
Change-Id: Ic63ce3b44d21aea8a036df5b2ddec4339427710f
(cherry picked from commit 6c01b49e627cd1dd29fe656d9cd5eb01205c8301)
Merged-In: Ic63ce3b44d21aea8a036df5b2ddec4339427710f
diff --git a/stack/gatt/gatt_db.cc b/stack/gatt/gatt_db.cc
index f7d18e4..6353c28 100644
--- a/stack/gatt/gatt_db.cc
+++ b/stack/gatt/gatt_db.cc
@@ -27,6 +27,7 @@
#include "bt_trace.h"
#include "bt_utils.h"
+#include <log/log.h>
#include <stdio.h>
#include <string.h>
#include "gatt_int.h"
@@ -237,6 +238,12 @@
uint16_t char_ext_prop =
attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
*p_len = 2;
+
+ if (mtu < *p_len) {
+ android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);
+ return GATT_NO_RESOURCES;
+ }
+
UINT16_TO_STREAM(p, char_ext_prop);
*p_data = p;
return GATT_SUCCESS;