Handle bogus multi value packet lengths

author Chris Manton <cmanton@google.com>

Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)

committer Chris Manton <cmanton@google.com>

Thu, 9 Dec 2021 00:05:32 +0000 (16:05 -0800)
author Chris Manton <cmanton@google.com>
Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)
committer Chris Manton <cmanton@google.com>
Thu, 9 Dec 2021 00:05:32 +0000 (16:05 -0800)
diff --git a/stack/gatt/gatt_cl.cc b/stack/gatt/gatt_cl.cc

index ae22dd6..5a20050 100644 (file)
--- a/stack/gatt/gatt_cl.cc
+++ b/stack/gatt/gatt_cl.cc
@@ -747,7 +747,7 @@ void gatt_process_notification(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
      rem_len -= 4;
      // Make sure we don't read past the remaining data even if the length says
      // we can Also need to watch comparing the int16_t with the uint16_t
-    value.len = std::min(rem_len, (int16_t)value.len);
+    value.len = std::min((uint16_t)rem_len, value.len);
      STREAM_TO_ARRAY(value.value, p, value.len);
      // Accounting
      rem_len -= value.len;
author	Chris Manton <cmanton@google.com>
	Wed, 8 Dec 2021 02:57:48 +0000 (18:57 -0800)
committer	Chris Manton <cmanton@google.com>
	Thu, 9 Dec 2021 00:05:32 +0000 (16:05 -0800)