Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / bt / refs/heads/odm/rc/qssi/12/fp4^! / .
commitbcc29eb81c18804aabf8f869fc9ebbec87303a52[log] [tgz]
authorHui Peng <phui@google.com>Thu Jul 27 04:09:04 2023 +0000
committerFairphone ODM <fairphone-odm@localhost>Mon Sep 25 15:04:21 2023 +0800
tree0ab3c2cb3533682befa864f5603df928c2c6ad96
parente6593aeb748dda03656c45bc5133e6b794d9d119 [diff]
Fix an integer underflow in build_read_multi_rsp

This is a backport of Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
to sc-dev

Bug: 273874525
Test: manual
Ignore-AOSP-First: security
Tag: #security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d5f27984f4ca265f28a4adf5835b0198a3e19aed)
Merged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
Change-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4
(cherry picked from commit 330b1873738f7159bfbe3848151dda13a79c505e)

diff --git a/stack/gatt/gatt_sr.cc b/stack/gatt/gatt_sr.cc
index e358bd9..d689acf 100644
--- a/stack/gatt/gatt_sr.cc
+++ b/stack/gatt/gatt_sr.cc

@@ -21,6 +21,7 @@
  *  this file contains the GATT server functions
  *
  ******************************************************************************/
+#include <algorithm>
 #include "bt_target.h"
 #include "osi/include/osi.h"
 
@@ -173,12 +174,24 @@
     }
 
     if (p_rsp != NULL) {
-      total_len = (p_buf->len + p_rsp->attr_value.len);
+      total_len = p_buf->len;
       if (p_cmd->multi_req.variable_len) {
         total_len += 2;
       }
 
       if (total_len > mtu) {
+        VLOG(1) << "Buffer space not enough for this data item, skipping";
+        break;
+      }
+
+      len = std::min((size_t) p_rsp->attr_value.len, mtu - total_len);
+
+      if (len == 0) {
+        VLOG(1) << "Buffer space not enough for this data item, skipping";
+        break;
+      }
+
+      if (len < p_rsp->attr_value.len) {
         /* just send the partial response for the overflow case */
         len = p_rsp->attr_value.len - (total_len - mtu);
         is_overflow = true;
@@ -190,20 +203,13 @@
       }
 
       if (p_cmd->multi_req.variable_len) {
-        UINT16_TO_STREAM(p, len);
+        UINT16_TO_STREAM(p, (uint16_t) len);
         p_buf->len += 2;
       }
 
       if (p_rsp->attr_value.handle == p_cmd->multi_req.handles[ii]) {
-        // check for possible integer overflow
-        if (p_buf->len + len <= UINT16_MAX) {
-          memcpy(p, p_rsp->attr_value.value, len);
-          if (!is_overflow) p += len;
-          p_buf->len += len;
-        } else {
-          p_cmd->status = GATT_NOT_FOUND;
-          break;
-        }
+        ARRAY_TO_STREAM(p, p_rsp->attr_value.value, (uint16_t) len);
+        p_buf->len += (uint16_t) len;
       } else {
         p_cmd->status = GATT_NOT_FOUND;
         break;