BT: fix possible out of bounds read
In btm_ble_bgconn.c, function btm_update_bg_conn_list() if the last element in
"p_cb->bg_dev_list" is removed, the line:
"p_next = p_bg_dev + 1;"
will get "p_next" to point at an entry outside the bounds of the array.
There check for "p_next->in_use" may render a TRUE result depending on what
data exist in the memory pointed to by "p_next", which is unknown.
If the check passes, the sentence:
" memcpy(p_cur, p_next, sizeof(tBTM_LE_BG_CONN_DEV));"
will copy random data into the entry pointed at by "p_cur".
This can potentially corrupt the white list filling it with entries that
contain garbage and not allowing to add new valid devices to the list.
Bug: 18748601
Change-Id: I98b4be4e9f4568ea77f89146eae1e38f19fa1ee3
1 file changed