Fix out of bond write in gatt_db Cherry-pick of ag/17776270 in newly packages/modules/Bluetooth Fix: 228078096 Test: Checked in security report Ignore-AOSP-First: Security fix Change-Id: Ic63ce3b44d21aea8a036df5b2ddec4339427710f (cherry picked from commit 6c01b49e627cd1dd29fe656d9cd5eb01205c8301) Merged-In: Ic63ce3b44d21aea8a036df5b2ddec4339427710f

commit: a47b8c7e985fb5aa253c5b1367a631c9c028b4aa [log] [tgz]
author: William Escande <wescande@google.com> Fri Apr 15 13:45:27 2022 -0700
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Mon May 16 21:12:52 2022 +0000
tree: 82b1f0e9e37a16147fe5ce90cc0be3d26ba12a02
parent: 6cab953d1b6df0a93630d3c8aa1c351932a6df44 [diff]
diff --git a/stack/gatt/gatt_db.cc b/stack/gatt/gatt_db.cc
index f7d18e4..6353c28 100644
--- a/stack/gatt/gatt_db.cc
+++ b/stack/gatt/gatt_db.cc

@@ -27,6 +27,7 @@
 #include "bt_trace.h"
 #include "bt_utils.h"
 
+#include <log/log.h>
 #include <stdio.h>
 #include <string.h>
 #include "gatt_int.h"
@@ -237,6 +238,12 @@
     uint16_t char_ext_prop =
         attr16.p_value ? attr16.p_value->char_ext_prop : 0x0000;
     *p_len = 2;
+
+    if (mtu < *p_len) {
+      android_errorWriteWithInfoLog(0x534e4554, "228078096", -1, NULL, 0);
+      return GATT_NO_RESOURCES;
+    }
+
     UINT16_TO_STREAM(p, char_ext_prop);
     *p_data = p;
     return GATT_SUCCESS;
commit	a47b8c7e985fb5aa253c5b1367a631c9c028b4aa	[log] [tgz]
author	William Escande <wescande@google.com>	Fri Apr 15 13:45:27 2022 -0700
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Mon May 16 21:12:52 2022 +0000
tree	82b1f0e9e37a16147fe5ce90cc0be3d26ba12a02
parent	6cab953d1b6df0a93630d3c8aa1c351932a6df44 [diff]