diff options
author | Hansong Zhang <hsz@google.com> | 2018-04-11 16:04:51 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2018-06-08 18:52:35 +0200 |
commit | c30f6c6386201c0a1f1f503da249e5960f83d69a (patch) | |
tree | 2cdbcbce00633acecb1af5126079be5f78901e85 | |
parent | f598be7739fc50f80b4f7985b1c775766c85e3de (diff) | |
download | android_system_bt-c30f6c6386201c0a1f1f503da249e5960f83d69a.tar.gz android_system_bt-c30f6c6386201c0a1f1f503da249e5960f83d69a.tar.bz2 android_system_bt-c30f6c6386201c0a1f1f503da249e5960f83d69a.zip |
DO NOT MERGE Add bounds check for BNEP_Write
Bug: 74947856
Test: manual
Change-Id: If5db8c6b6e509a330ae74808fc3f0ffac137af14
(cherry picked from commit ae9d06c1dc84db36c0c4a07fc56a1fbf008cd1ce)
CVE-2018-9357
-rw-r--r-- | stack/bnep/bnep_api.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/stack/bnep/bnep_api.c b/stack/bnep/bnep_api.c index 76bffca50..7c7426383 100644 --- a/stack/bnep/bnep_api.c +++ b/stack/bnep/bnep_api.c @@ -23,6 +23,7 @@ ******************************************************************************/ #include <string.h> +#include <log/log.h> #include "bnep_api.h" #include "bnep_int.h" @@ -413,6 +414,10 @@ tBNEP_RESULT BNEP_WriteBuf (UINT16 handle, else { new_len += 4; + if (new_len > org_len) { + android_errorWriteLog(0x534e4554, "74947856"); + return BNEP_IGNORE_CMD; + } p_data[2] = 0; p_data[3] = 0; } @@ -521,6 +526,10 @@ tBNEP_RESULT BNEP_Write (UINT16 handle, else { new_len += 4; + if (new_len > org_len) { + android_errorWriteLog(0x534e4554, "74947856"); + return BNEP_IGNORE_CMD; + } p_data[2] = 0; p_data[3] = 0; } |