FPII-1847: DO NOT MERGE Check size of pin before replying If a malicious client set a pin that was too long it would overflow the pin code memory. Bug: 27411268 Change-Id: I9197ac6fdaa92a4799dacb6364e04671a39450cc (cherry picked from commit c49222e89d51117a58cf98a5217691884a8370d6)

commit: ff28a7a8ba4b1a27a18cc903ab0d7da65b1f1080 [log] [tgz]
author: Marie Janssen <jamuraa@google.com> Wed Mar 09 15:31:48 2016 -0800
committer: Dirk Vogt <dirk@fairphone.com> Tue Apr 19 14:26:08 2016 +0200
tree: 71d5d212e134c66c5233c9ce2ce6498391599565
parent: d2b4ce336876761e5bce2cd344c2fda1ed192136 [diff]
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c
index e320be1..5999025 100644
--- a/btif/src/btif_dm.c
+++ b/btif/src/btif_dm.c

@@ -2874,7 +2874,7 @@
                                uint8_t pin_len, bt_pin_code_t *pin_code)
 {
     BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept);
-    if (pin_code == NULL)
+    if (pin_code == NULL || pin_len > PIN_CODE_LEN)
         return BT_STATUS_FAIL;
 #if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE))
commit	ff28a7a8ba4b1a27a18cc903ab0d7da65b1f1080	[log] [tgz]
author	Marie Janssen <jamuraa@google.com>	Wed Mar 09 15:31:48 2016 -0800
committer	Dirk Vogt <dirk@fairphone.com>	Tue Apr 19 14:26:08 2016 +0200
tree	71d5d212e134c66c5233c9ce2ce6498391599565
parent	d2b4ce336876761e5bce2cd344c2fda1ed192136 [diff]