From: Ajay Panicker Date: Fri, 23 Oct 2015 23:49:11 +0000 (-0700) Subject: Prevent integer overflows during GATT signing X-Git-Tag: android-x86-7.1-r1~394^2~96^2~19 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=c8fd18625f;p=android-x86%2Fsystem-bt.git Prevent integer overflows during GATT signing Bug: 17901099 Change-Id: Ib61113b19c9c9798b9ea992fad0ce997dcc2e2f8 --- diff --git a/stack/gatt/gatt_auth.c b/stack/gatt/gatt_auth.c index 37895196a..206985be3 100644 --- a/stack/gatt/gatt_auth.c +++ b/stack/gatt/gatt_auth.c @@ -103,6 +103,11 @@ void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf) UINT8 *p, *p_orig = (UINT8 *)(p_buf + 1) + p_buf->offset; UINT32 counter; + if (p_buf->len < GATT_AUTH_SIGN_LEN + 4) { + GATT_TRACE_ERROR("%s: Data length %u less than expected %u", + __func__, p_buf->len, GATT_AUTH_SIGN_LEN + 4); + return; + } cmd_len = p_buf->len - GATT_AUTH_SIGN_LEN + 4; p = p_orig + cmd_len - 4; STREAM_TO_UINT32(counter, p);