• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubypythongamewindowsbathyscaphephpguic翻訳omegattwitterframeworktestbtronarduinovb.net計画中(planning stage)directxpreviewerゲームエンジンdom

system/bt


Commit MetaInfo

Revision4e47f3db62bab524946c46efe04ed6a2b896b150 (tree)
Zeit2017-08-09 03:44:37
AutorPavlin Radoslavov <pavlin@goog...>
Commiterandroid-build-team Robot

Log Message

Add a missing check for PAN buffer size before copying data

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)

Ändern Zusammenfassung

Diff

--- a/bta/pan/bta_pan_act.cc
+++ b/bta/pan/bta_pan_act.cc
@@ -28,6 +28,8 @@
2828
2929 #include <string.h>
3030
31+#include <cutils/log.h>
32+
3133 #include "bt_common.h"
3234 #include "bta_api.h"
3335 #include "bta_pan_api.h"
@@ -174,6 +176,14 @@ static void bta_pan_data_buf_ind_cback(uint16_t handle, BD_ADDR src,
174176
175177 if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
176178 /* offset smaller than data structure in front of actual data */
179+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
180+ PAN_BUF_SIZE) {
181+ android_errorWriteLog(0x534e4554, "63146237");
182+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
183+ p_buf->len);
184+ osi_free(p_buf);
185+ return;
186+ }
177187 p_new_buf = (BT_HDR*)osi_malloc(PAN_BUF_SIZE);
178188 memcpy((uint8_t*)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
179189 (uint8_t*)(p_buf + 1) + p_buf->offset, p_buf->len);