Fix potential stack overflow caused by integer overflow Bug: 151155194 Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca (cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)

commit: 73c22e6cdbfc5d099985c70edf9670686cc331a9 [log] [tgz]
author: Jakub Pawlowski <jpawlowski@google.com> Fri Mar 20 15:24:00 2020 +0100
committer: Anis Assi <anisassi@google.com> Thu Apr 09 13:46:53 2020 -0700
tree: a0aac2046c82834a6173dd8dc285614ca48e095d
parent: f46a33622526bfc6f9db624223426517836f6098 [diff]
diff --git a/stack/smp/smp_cmac.cc b/stack/smp/smp_cmac.cc
index 42f91a0..30ccef9 100644
--- a/stack/smp/smp_cmac.cc
+++ b/stack/smp/smp_cmac.cc

@@ -278,7 +278,8 @@
  ******************************************************************************/
 bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length,
                               uint16_t tlen, uint8_t* p_signature) {
-  uint16_t len, diff;
+  uint32_t len;
+  uint16_t diff;
   uint16_t n = (length + BT_OCTET16_LEN - 1) /
                BT_OCTET16_LEN; /* n is number of rounds */
   bool ret = false;
commit	73c22e6cdbfc5d099985c70edf9670686cc331a9	[log] [tgz]
author	Jakub Pawlowski <jpawlowski@google.com>	Fri Mar 20 15:24:00 2020 +0100
committer	Anis Assi <anisassi@google.com>	Thu Apr 09 13:46:53 2020 -0700
tree	a0aac2046c82834a6173dd8dc285614ca48e095d
parent	f46a33622526bfc6f9db624223426517836f6098 [diff]