memory corruption on bluetooth stack.

This memory corruption will happen if the remote BLE device name
is more than 249 bytes (the maximum attribute length our BLE support is 600.).
after we send/receive GATT remote device name service attribute.
 We will copy upto 600 bytes data to a local name buffer with size of 249.
This will cause serious memory corruption on the stack memory.

bug:12570982
Change-Id: I5b2ffd5f5a16f4d80d5491e86bf18bf47e30629e

diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c
index bfe5fda..3949640 100644 (file)
--- a/stack/btm/btm_ble_gap.c
+++ b/stack/btm/btm_ble_gap.c
@@ -1145,6 +1145,10 @@ void btm_ble_read_remote_name_cmpl(BOOLEAN status, BD_ADDR bda, UINT16 length, c
     BD_NAME bd_name;
 
     memset(bd_name, 0, (BD_NAME_LEN + 1));
+    if (length > BD_NAME_LEN)
+    {
+        length = BD_NAME_LEN;
+    }
     memcpy((UINT8*)bd_name, p_name, length);
 
     if ((!status) || (length==0))