diff options
author | Marie Janssen <jamuraa@google.com> | 2016-03-09 15:31:48 -0800 |
---|---|---|
committer | Jessica Wagantall <jwagantall@cyngn.com> | 2016-05-03 12:35:53 -0700 |
commit | 71093406178c9173190d2d9aaa016652620166d1 (patch) | |
tree | 110a3182807b68410770b1fa0d238cf3bbb5cb15 | |
parent | 22597211f212d570dc0d69caeb3ded4ddae7bf00 (diff) | |
download | android_system_bt-71093406178c9173190d2d9aaa016652620166d1.tar.gz android_system_bt-71093406178c9173190d2d9aaa016652620166d1.tar.bz2 android_system_bt-71093406178c9173190d2d9aaa016652620166d1.zip |
DO NOT MERGE Check size of pin before replying
If a malicious client set a pin that was too long it would overflow
the pin code memory.
Ticket: CYNGNOS-2373
Bug: 27411268
Change-Id: I9197ac6fdaa92a4799dacb6364e04671a39450cc
(cherry picked from commit f0a69c392117c69c5f66dd239f5a5cfd89a7331e)
-rw-r--r-- | btif/src/btif_dm.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/btif/src/btif_dm.c b/btif/src/btif_dm.c index 2991fee64..34b8077ea 100644 --- a/btif/src/btif_dm.c +++ b/btif/src/btif_dm.c @@ -2728,7 +2728,7 @@ bt_status_t btif_dm_pin_reply( const bt_bdaddr_t *bd_addr, uint8_t accept, uint8_t pin_len, bt_pin_code_t *pin_code) { BTIF_TRACE_EVENT("%s: accept=%d", __FUNCTION__, accept); - if (pin_code == NULL) + if (pin_code == NULL || pin_len > PIN_CODE_LEN) return BT_STATUS_FAIL; #if (defined(BLE_INCLUDED) && (BLE_INCLUDED == TRUE)) |