diff options
| author | Jakub Pawlowski <jpawlowski@google.com> | 2018-05-10 00:16:13 -0700 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-07-17 07:20:59 +0200 |
| commit | be0ce8e453ada825dde0e0055e891f99045f7730 (patch) | |
| tree | 324943dfd48724edecc21c176160492b45d9bd0c | |
| parent | 454570d2a9a43fce05aadaf401bc341403efab78 (diff) | |
| download | android_packages_apps_Bluetooth-cm-11.0.tar.gz android_packages_apps_Bluetooth-cm-11.0.tar.bz2 android_packages_apps_Bluetooth-cm-11.0.zip | |
Make sure server response doesn't exceed maximum allowable lengthcm-11.0
Bug: 78787521
Test: try sending response bigger than BTGATT_MAX_ATTR_LEN
Change-Id: I51b12483cced7e4c0d967acf5bb42559ef169fe7
Merged-In: I51b12483cced7e4c0d967acf5bb42559ef169fe7
(cherry picked from commit 0f34ae9398ed017465c0cac7387be9e6951c07be)
(cherry picked from commit c2813a2b6e6dda20e9a25947a4cf5adf6a4f4132)
| -rw-r--r-- | jni/com_android_bluetooth_gatt.cpp | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/jni/com_android_bluetooth_gatt.cpp b/jni/com_android_bluetooth_gatt.cpp index 1ffac4e08..a4e5322d6 100644 --- a/jni/com_android_bluetooth_gatt.cpp +++ b/jni/com_android_bluetooth_gatt.cpp @@ -1241,7 +1241,13 @@ static void gattServerSendResponseNative (JNIEnv *env, jobject object, if (val != NULL) { - response.attr_value.len = (uint16_t) env->GetArrayLength(val); + if (env->GetArrayLength(val) < BTGATT_MAX_ATTR_LEN) { + response.attr_value.len = (uint16_t)env->GetArrayLength(val); + } else { + android_errorWriteLog(0x534e4554, "78787521"); + response.attr_value.len = BTGATT_MAX_ATTR_LEN; + } + jbyte* array = env->GetByteArrayElements(val, 0); for (int i = 0; i != response.attr_value.len; ++i) |