Merge branch 'security-aosp-tm-release' into int/13/fp3
* security-aosp-tm-release:
Fix an integer underflow in build_read_multi_rsp
Change-Id: I1b9a96b2d97d55005e61f9971231af22cefd148c
diff --git a/system/stack/gatt/gatt_sr.cc b/system/stack/gatt/gatt_sr.cc
index f2a3e22..ce00ef7 100644
--- a/system/stack/gatt/gatt_sr.cc
+++ b/system/stack/gatt/gatt_sr.cc
@@ -21,6 +21,7 @@
* this file contains the GATT server functions
*
******************************************************************************/
+#include <algorithm>
#include <string.h>
#include "bt_target.h"
@@ -178,37 +179,38 @@
}
if (p_rsp != NULL) {
- total_len = (p_buf->len + p_rsp->attr_value.len);
+ total_len = p_buf->len;
if (p_cmd->multi_req.variable_len) {
total_len += 2;
}
if (total_len > mtu) {
- /* just send the partial response for the overflow case */
- len = p_rsp->attr_value.len - (total_len - mtu);
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+ if (len == 0) {
+ VLOG(1) << "Buffer space not enough for this data item, skipping";
+ break;
+ }
+
+ if (len < p_rsp->attr_value.len) {
is_overflow = true;
VLOG(1) << StringPrintf(
"multi read overflow available len=%zu val_len=%d", len,
p_rsp->attr_value.len);
- } else {
- len = p_rsp->attr_value.len;
}
if (p_cmd->multi_req.variable_len) {
- UINT16_TO_STREAM(p, len);
+ UINT16_TO_STREAM(p, (uint16_t) len);
p_buf->len += 2;
}
if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
- // check for possible integer overflow
- if (p_buf->len + len <= UINT16_MAX) {
- memcpy(p, p_rsp->attr_value.value, len);
- if (!is_overflow) p += len;
- p_buf->len += len;
- } else {
- p_cmd->status = GATT_NOT_FOUND;
- break;
- }
+ ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+ p_buf->len += (uint16_t) len;
} else {
p_cmd->status = GATT_NOT_FOUND;
break;