Handle bogus multi value packet lengths

author Chris Manton <cmanton@google.com>

Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)

committer Chris Manton <cmanton@google.com>

Thu, 9 Dec 2021 00:07:46 +0000 (00:07 +0000)
author Chris Manton <cmanton@google.com>
Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)
committer Chris Manton <cmanton@google.com>
Thu, 9 Dec 2021 00:07:46 +0000 (00:07 +0000)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc

index 8c3567d..cb5c138 100644 (file)
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -745,7 +745,7 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
      rem_len -= 4;
      // Make sure we don't read past the remaining data even if the length says
      // we can Also need to watch comparing the int16_t with the uint16_t
-    value.len = std::min(rem_len, (int16_t)value.len);
+    value.len = std::min((uint16_t)rem_len, value.len);
      STREAM_TO_ARRAY(value.value, p, value.len);
      // Accounting
      rem_len -= value.len;
author	Chris Manton <cmanton@google.com>
	Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)
committer	Chris Manton <cmanton@google.com>
	Thu, 9 Dec 2021 00:07:46 +0000 (00:07 +0000)