OSDN Git Service
(root)
/
android-x86
/
system-bt.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
41a91a5
)
Prevent integer overflows during GATT signing
author
Ajay Panicker
<apanicke@google.com>
Fri, 23 Oct 2015 23:49:11 +0000
(16:49 -0700)
committer
Scott James Remnant
<keybuk@google.com>
Mon, 23 Nov 2015 20:13:15 +0000
(12:13 -0800)
Bug:
17901099
Change-Id: Ib61113b19c9c9798b9ea992fad0ce997dcc2e2f8
stack/gatt/gatt_auth.c
patch
|
blob
|
history
diff --git
a/stack/gatt/gatt_auth.c
b/stack/gatt/gatt_auth.c
index
3789519
..
206985b
100644
(file)
--- a/
stack/gatt/gatt_auth.c
+++ b/
stack/gatt/gatt_auth.c
@@
-103,6
+103,11
@@
void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf)
UINT8 *p, *p_orig = (UINT8 *)(p_buf + 1) + p_buf->offset;
UINT32 counter;
+ if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) {
+ GATT_TRACE_ERROR("%s: Data length %u less than expected %u",
+ __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4);
+ return;
+ }
cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4;
p = p_orig + cmd_len - 4;
STREAM_TO_UINT32(counter, p);