Merge tag 'android-8.1.0_r76' of https://android.googlesource.com/platform/system/bt into staging/lineage-15.1_merge-android-8.1.0_r76lineage-15.1

Android 8.1.0 release 76

* tag 'android-8.1.0_r76' of https://android.googlesource.com/platform/system/bt:
  Fix potential stack overflow caused by integer overflow
  GattServcer: Check invalid offset

Change-Id: I602ec42068bf3579a468fbc93b065110fedc0e18

2 files changed, 9 insertions, 1 deletions

diff --git a/service/gatt_server.cc b/service/gatt_server.cc
index 63bacbb8f..104afe165 100644
--- a/service/gatt_server.cc
+++ b/service/gatt_server.cc
@@ -16,6 +16,7 @@
 
 #include "service/gatt_server.h"
 
+#include "osi/include/log.h"
 #include "service/logging_helpers.h"
 #include "stack/include/bt_types.h"
 
@@ -114,6 +115,12 @@ bool GattServer::SendResponse(const std::string& device_address, int request_id,
     return false;
   }
 
+  if (offset < 0) {
+    android_errorWriteLog(0x534e4554, "143231677");
+    LOG(ERROR) << "Offset is less than 0 offset: " << offset;
+    return false;
+  }
+
   if (value.size() + offset > BTGATT_MAX_ATTR_LEN) {
     LOG(ERROR) << "Value is too large";
     return false;
diff --git a/stack/smp/smp_cmac.cc b/stack/smp/smp_cmac.cc
index 876c42008..23c1db1b5 100644
--- a/stack/smp/smp_cmac.cc
+++ b/stack/smp/smp_cmac.cc
@@ -278,7 +278,8 @@ static bool cmac_generate_subkey(BT_OCTET16 key) {
  ******************************************************************************/
 bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length,
                               uint16_t tlen, uint8_t* p_signature) {
-  uint16_t len, diff;
+  uint32_t len;
+  uint16_t diff;
   uint16_t n = (length + BT_OCTET16_LEN - 1) /
                BT_OCTET16_LEN; /* n is number of rounds */
   bool ret = false;