From 7f9bcf85168b776133ebb8c7b3f2db16a1ec0f79 Mon Sep 17 00:00:00 2001 From: Zhihai Xu Date: Wed, 15 Jan 2014 15:49:21 -0800 Subject: [PATCH] memory corruption on bluetooth stack. This memory corruption will happen if the remote BLE device name is more than 249 bytes (the maximum attribute length our BLE support is 600.). after we send/receive GATT remote device name service attribute. We will copy upto 600 bytes data to a local name buffer with size of 249. This will cause serious memory corruption on the stack memory. bug:12570982 Change-Id: I5b2ffd5f5a16f4d80d5491e86bf18bf47e30629e --- stack/btm/btm_ble_gap.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/stack/btm/btm_ble_gap.c b/stack/btm/btm_ble_gap.c index bfe5fda08..394964050 100644 --- a/stack/btm/btm_ble_gap.c +++ b/stack/btm/btm_ble_gap.c @@ -1145,6 +1145,10 @@ void btm_ble_read_remote_name_cmpl(BOOLEAN status, BD_ADDR bda, UINT16 length, c BD_NAME bd_name; memset(bd_name, 0, (BD_NAME_LEN + 1)); + if (length > BD_NAME_LEN) + { + length = BD_NAME_LEN; + } memcpy((UINT8*)bd_name, p_name, length); if ((!status) || (length==0)) -- 2.11.0