DO NOT MERGE Fix OOB read before buffer length check

author Ugo Yu <ugoyu@google.com>

Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)

committer Ryan Longair <rlongair@google.com>

Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)
author Ugo Yu <ugoyu@google.com>
Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)
committer Ryan Longair <rlongair@google.com>
Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c

index 688d967..e3be538 100644 (file)
--- a/stack/smp/smp_act.c
+++ b/stack/smp/smp_act.c
@@ -828,14 +828,18 @@ void smp_process_keypress_notification(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
      UINT8 reason = SMP_INVALID_PARAMETERS;
  
      SMP_TRACE_DEBUG("%s", __func__);
-    p_cb->status = *(UINT8 *)p_data;
  
      if (smp_command_has_invalid_parameters(p_cb))
      {
+        if (p_cb->rcvd_cmd_len < 2) {  // 1 (opcode) + 1 (Notif Type) bytes
+            android_errorWriteLog(0x534e4554, "111936834");
+        }
          smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
          return;
      }
  
+    p_cb->status = *(UINT8 *)p_data;
+
      if (p != NULL)
      {
          STREAM_TO_UINT8(p_cb->peer_keypress_notification, p);
author	Ugo Yu <ugoyu@google.com>
	Wed, 8 Aug 2018 06:57:25 +0000 (14:57 +0800)
committer	Ryan Longair <rlongair@google.com>
	Wed, 15 Aug 2018 20:24:05 +0000 (13:24 -0700)