From ae69f556b8c99840d7f4e5e7e1e8db364a605fa2 Mon Sep 17 00:00:00 2001 From: Scott Bauer Date: Thu, 6 Apr 2017 18:35:40 -0600 Subject: [PATCH] Read the correct amount of attributes bta_gattc_cache_load currently attempts to read 0xFF attributes into an allocation sized to num_attr attributes, which can be smaller than 0xFF. There aren't more than num_attr bytes in correct data, but this breaks with dynamic buffer overflow checking in CopperheadOS for the read system call since fread ends up calling read, which obtains the size of the allocation from the malloc implementation and then aborts due to the (potential) overflow. This would also fail with the default enabled _FORTIFY_SOURCE=2 feature in the Android Open Source Project if osi_malloc was marked with the alloc_size attribute. The way it wraps malloc loses that information so fortify checks aren't done for calls like this. Bug: 37160362 Change-Id: I68bd170d5378c9d9d21cbda376083bc0b857e15c Signed-off-by: Scott Bauer [migrated to C++ file, added 0xFFFF limit and wrote commit message] Signed-off-by: Daniel Micay (cherry picked from commit 8eb6493ad56ed4fd8310bf96042cc54eb5b450dd) --- bta/gatt/bta_gattc_cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bta/gatt/bta_gattc_cache.c b/bta/gatt/bta_gattc_cache.c index 63c424696..45d258824 100644 --- a/bta/gatt/bta_gattc_cache.c +++ b/bta/gatt/bta_gattc_cache.c @@ -1551,7 +1551,7 @@ bool bta_gattc_cache_load(tBTA_GATTC_CLCB *p_clcb) attr = osi_malloc(sizeof(tBTA_GATTC_NV_ATTR) * num_attr); - if (fread(attr, sizeof(tBTA_GATTC_NV_ATTR), 0xFF, fd) != num_attr) { + if (fread(attr, sizeof(tBTA_GATTC_NV_ATTR), num_attr, fd) != num_attr) { APPL_TRACE_ERROR("%s: can't read GATT attributes: %s", __func__, fname); goto done; } -- 2.11.0