commit | c14c1fb86420bb69b1d8d2ee9e83108331183acd | [log] [tgz] |
---|---|---|
author | Hansong Zhang <hsz@google.com> | Thu Feb 13 11:40:44 2020 -0800 |
committer | Hansong Zhang <hsz@google.com> | Tue Mar 10 17:15:15 2020 +0000 |
tree | e834195d586cac648edbf9954610add5f8b27196 | |
parent | 561bf0a6043109e8b4bf8da869bfbdd108486254 [diff] |
GattServcer: Check invalid offset Test: manual Bug: 143231677 Change-Id: I0396380f431cdb7f91c78db6de9043ea0f373dfe Merged-In: I97e2c3ae15fccc482d07d8d621c455cc74900cfd Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
diff --git a/service/gatt_server.cc b/service/gatt_server.cc index 63bacbb..104afe1 100644 --- a/service/gatt_server.cc +++ b/service/gatt_server.cc
@@ -16,6 +16,7 @@ #include "service/gatt_server.h" +#include "osi/include/log.h" #include "service/logging_helpers.h" #include "stack/include/bt_types.h" @@ -114,6 +115,12 @@ return false; } + if (offset < 0) { + android_errorWriteLog(0x534e4554, "143231677"); + LOG(ERROR) << "Offset is less than 0 offset: " << offset; + return false; + } + if (value.size() + offset > BTGATT_MAX_ATTR_LEN) { LOG(ERROR) << "Value is too large"; return false;