OSDN -- Open-Source-Software-Entwicklung und Downloads
Übersetzungsstatus von Deutsch translation status for de
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javaandroidc++linuxc#objective-ccocoa誰得qtrubypythongamewindowsbathyscaphephpguic翻訳omegattwitterframeworktestbtronarduinovb.net計画中(planning stage)directxpreviewerゲームエンジンdom

system/bt


Commit MetaInfo

Revision922d50b99e45d02b405940fe9a33887141da5c7e (tree)
Zeit2017-09-15 02:54:03
AutorPavlin Radoslavov <pavlin@goog...>
CommiterDan Pasanen

Log Message

Add a missing check for PAN buffer size before copying data

Bug: 63146237
Test: External script
Change-Id: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
Merged-In: I3e9c8a767a8a2a80ff56ccb48c56ca0d4b8c3402
(cherry picked from commit 1d909399cb4259243dac2e531e3ce6ca1afa77e7)
(cherry picked from commit aa486ad8b5ad6eaef732e5fa7f151495c8c3faf2)
(cherry picked from commit a8a6a17fdfc8d930ba4ad18f92cf4453cc1a219e)
(cherry picked from commit d1145e0af3507e37d4bd25f1833e22c5c716f0ac)
(cherry picked from commit 23642dc32ce8704067882cfb37745b62c2b3562a)

Ändern Zusammenfassung

Diff

--- a/bta/pan/bta_pan_act.c
+++ b/bta/pan/bta_pan_act.c
@@ -26,6 +26,8 @@
2626
2727 #if defined(PAN_INCLUDED) && (PAN_INCLUDED == TRUE)
2828
29+#include <cutils/log.h>
30+
2931 #include "bta_api.h"
3032 #include "bta_sys.h"
3133 #include "bt_common.h"
@@ -176,6 +178,14 @@ static void bta_pan_data_buf_ind_cback(UINT16 handle, BD_ADDR src, BD_ADDR dst,
176178
177179 if (sizeof(tBTA_PAN_DATA_PARAMS) > p_buf->offset) {
178180 /* offset smaller than data structure in front of actual data */
181+ if (sizeof(BT_HDR) + sizeof(tBTA_PAN_DATA_PARAMS) + p_buf->len >
182+ PAN_BUF_SIZE) {
183+ android_errorWriteLog(0x534e4554, "63146237");
184+ APPL_TRACE_ERROR("%s: received buffer length too large: %d", __func__,
185+ p_buf->len);
186+ osi_free(p_buf);
187+ return;
188+ }
179189 p_new_buf = (BT_HDR *)osi_malloc(PAN_BUF_SIZE);
180190 memcpy((UINT8 *)(p_new_buf + 1) + sizeof(tBTA_PAN_DATA_PARAMS),
181191 (UINT8 *)(p_buf + 1) + p_buf->offset, p_buf->len);