diff options
| author | Marie Janssen <jamuraa@google.com> | 2016-03-09 15:31:48 -0800 |
|---|---|---|
| committer | The Android Automerger <android-build@google.com> | 2016-03-25 17:48:09 -0700 |
| commit | 9b534de2aca5d790c2a1c4d76b545f16137d95dd (patch) | |
| tree | 0741541fab6339c004230280e2d64b07458d7242 | |
| parent | 3ddadd2c27e6a22e2d2b205e9ff73d13e0c35cc5 (diff) | |
| download | android_system_bt-9b534de2aca5d790c2a1c4d76b545f16137d95dd.tar.gz android_system_bt-9b534de2aca5d790c2a1c4d76b545f16137d95dd.tar.bz2 android_system_bt-9b534de2aca5d790c2a1c4d76b545f16137d95dd.zip | |
DO NOT MERGE Check size of pin before replying
If a malicious client set a pin that was too long it would overflow
the pin code memory.
Bug: 27411268
Change-Id: I9197ac6fdaa92a4799dacb6364e04671a39450cc
| -rw-r--r-- | btif/src/btif_dm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index 425af2296..c7a5ffe47 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -2436,7 +2436,7 @@ bt_status_t btif_dm_pin_reply( const bt_bdaddr_t *bd_addr, uint8_t accept, uint8_t pin_len, bt_pin_code_t *pin_code) { BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept); - if (pin_code == NULL) + if (pin_code == NULL || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; #if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE)) |