From c14c1fb86420bb69b1d8d2ee9e83108331183acd Mon Sep 17 00:00:00 2001
From: Hansong Zhang <hsz@google.com>
Date: Thu, 13 Feb 2020 11:40:44 -0800
Subject: [PATCH] GattServcer: Check invalid offset

Test: manual
Bug: 143231677
Change-Id: I0396380f431cdb7f91c78db6de9043ea0f373dfe
Merged-In: I97e2c3ae15fccc482d07d8d621c455cc74900cfd
Merged-In: I0ca22e7c60292d61c758120c1cd67f6e6edd8ae8
---
 service/gatt_server.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/service/gatt_server.cc b/service/gatt_server.cc
index 63bacbb8f..104afe165 100644
--- a/service/gatt_server.cc
+++ b/service/gatt_server.cc
@@ -16,6 +16,7 @@
 
 #include "service/gatt_server.h"
 
+#include "osi/include/log.h"
 #include "service/logging_helpers.h"
 #include "stack/include/bt_types.h"
 
@@ -114,6 +115,12 @@ bool GattServer::SendResponse(const std::string& device_address, int request_id,
     return false;
   }
 
+  if (offset < 0) {
+    android_errorWriteLog(0x534e4554, "143231677");
+    LOG(ERROR) << "Offset is less than 0 offset: " << offset;
+    return false;
+  }
+
   if (value.size() + offset > BTGATT_MAX_ATTR_LEN) {
     LOG(ERROR) << "Value is too large";
     return false;
-- 
2.11.0