diff options
| author | Jakub Pawlowski <jpawlowski@google.com> | 2020-03-20 15:24:00 +0100 |
|---|---|---|
| committer | syphyr <syphyr@gmail.com> | 2020-05-07 00:45:16 +0200 |
| commit | a68df7b0d0d5fab28d118b647c43b66195d6b5bd (patch) | |
| tree | c82080003e0d8678f3cb048860b86edb59e6a65e | |
| parent | 01b84e0a8888e6e6843aab86811ceb8e6139698b (diff) | |
| download | android_system_bt-cm-14.1.tar.gz android_system_bt-cm-14.1.tar.bz2 android_system_bt-cm-14.1.zip | |
Fix potential stack overflow caused by integer overflowcm-14.1
Bug: 151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
(cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)
| -rw-r--r-- | stack/smp/smp_cmac.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/stack/smp/smp_cmac.c b/stack/smp/smp_cmac.c index 1989292e8..6ddaab172 100644 --- a/stack/smp/smp_cmac.c +++ b/stack/smp/smp_cmac.c @@ -293,7 +293,8 @@ static BOOLEAN cmac_generate_subkey(BT_OCTET16 key) BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length, UINT16 tlen, UINT8 *p_signature) { - UINT16 len, diff; + UINT32 len; + UINT16 diff; UINT16 n = (length + BT_OCTET16_LEN - 1) / BT_OCTET16_LEN; /* n is number of rounds */ BOOLEAN ret = FALSE; |