Merge branch 'dev/11/fp3/security-aosp-rvc-release' into int/11/fp3 * dev/11/fp3/security-aosp-rvc-release: Fix gatt_end_operation buffer overflow Change-Id: Ib1a96649930d942fc63db754924ca28b5e0ad135

commit: 6eaa06fb9014f578751ed0019e60595ce7e59bde [log] [tgz]
author: Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners> Fri Jul 28 00:38:09 2023 +0530
committer: Maarten Derks <maarten@fairphone.com> Wed Aug 02 14:33:58 2023 +0200
tree: fc86a7c7ca6a6671065b411687a1c4c982d79cfc
parent: 0f91a68d9ac365bd1e27918aa9b5fa4a216d7ab2 [diff]
parent: e0126c6e351a4cfe9bf7cc057fa2635d0de7c01b [diff]
diff --git a/stack/gatt/gatt_utils.cc b/stack/gatt/gatt_utils.cc
index 2bd4240..0130117 100644
--- a/stack/gatt/gatt_utils.cc
+++ b/stack/gatt/gatt_utils.cc

@@ -1198,6 +1198,13 @@
       cb_data.att_value.handle = p_clcb->s_handle;
       cb_data.att_value.len = p_clcb->counter;
 
+      if (cb_data.att_value.len > GATT_MAX_ATTR_LEN) {
+        LOG(WARNING) << __func__
+                     << StringPrintf(" Large cb_data.att_value, size=%d",
+                                     cb_data.att_value.len);
+        cb_data.att_value.len = GATT_MAX_ATTR_LEN;
+      }
+
       if (p_data && p_clcb->counter)
         memcpy(cb_data.att_value.value, p_data, cb_data.att_value.len);
     }
commit	6eaa06fb9014f578751ed0019e60595ce7e59bde	[log] [tgz]
author	Prashantsinh Parmar <prashantsinh.parmar@fairphone.partners>	Fri Jul 28 00:38:09 2023 +0530
committer	Maarten Derks <maarten@fairphone.com>	Wed Aug 02 14:33:58 2023 +0200
tree	fc86a7c7ca6a6671065b411687a1c4c982d79cfc
parent	0f91a68d9ac365bd1e27918aa9b5fa4a216d7ab2 [diff]
parent	e0126c6e351a4cfe9bf7cc057fa2635d0de7c01b [diff]