Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / c82bff2e7890710086213b0e1efcb834c86448b2
commitc82bff2e7890710086213b0e1efcb834c86448b2[log] [tgz]
authorSharvil Nanavati <sharvil@google.com>Mon Jan 04 17:21:05 2016 -0800
committerSharvil Nanavati <sharvil@google.com>Mon Jan 04 17:34:53 2016 -0800
tree6f289ffc997375f6b3bebfcd4cf1ed59d2abb5a4
parentb2c46a45410d6ecfa2b6df57fb81ee4b192e5455 [diff]
Fix crash in HFP client's +COPS parsing code.

If the Audio Gateway sends a malformed +COPS message (an operator
name > 16 characters) then the %n in sscanf format specifier is
ignored and sscanf will not assign a value to the appropriate
argument.

In such a case, the existing code will perform pointer arithmetic
using an uninitialized stack variable as an offset which may result
in pointing to an invalid memory address. When that memory is
subsequently dereferenced, we observe a crash.

This change ensures that the stack does not crash even if an invalid
+COPS message is sent from the Audio Gateway.

Bug: 24871011
Change-Id: I9bb42c75bcd90487831fc6950c571c87098559e7
1 file changed
tree: 6f289ffc997375f6b3bebfcd4cf1ed59d2abb5a4
  1. audio_a2dp_hw/
  2. bta/
  3. btcore/
  4. btif/
  5. build/
  6. conf/
  7. device/
  8. doc/
  9. embdrv/
  10. hci/
  11. include/
  12. main/
  13. osi/
  14. profile/
  15. service/
  16. stack/
  17. test/
  18. tools/
  19. udrv/
  20. utils/
  21. vendor_libs/
  22. vnd/
  23. .gitignore
  24. .gn
  25. Android.mk
  26. BUILD.gn
  27. CleanSpec.mk
  28. HACKING
  29. MODULE_LICENSE_APACHE2
  30. NOTICE