diff options
| author | Jakub Pawlowski <jpawlowski@google.com> | 2018-11-27 18:22:22 +0100 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2019-03-23 15:50:54 +0100 |
| commit | 4363f8407fb8dfe628b4e34eda4d1ed443461b0d (patch) | |
| tree | 44571a059bd40743f7ab13c7f5d75f3548cc9f22 /stack/smp/smp_utils.c | |
| parent | 108912d72017f3273081c1106acd539bf8be7a6c (diff) | |
| download | android_system_bt-4363f8407fb8dfe628b4e34eda4d1ed443461b0d.tar.gz android_system_bt-4363f8407fb8dfe628b4e34eda4d1ed443461b0d.tar.bz2 android_system_bt-4363f8407fb8dfe628b4e34eda4d1ed443461b0d.zip | |
Fix buffer overflow in btif_dm_data_copy
When we use a union, we should always define variables as the union type,
not as one of the field subtypes. If the latter is cast to the union type,
buffer overflow can happen.
Bug: 110166268
Test: compilation
Change-Id: I473c03b099ad5a326e7a3739f65efd33cf4775bd
Merged-In: I473c03b099ad5a326e7a3739f65efd33cf4775bd
(cherry picked from commit ea90417d9965aec1c475418ca8f8f305af12de2d)
Diffstat (limited to 'stack/smp/smp_utils.c')
| -rw-r--r-- | stack/smp/smp_utils.c | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/stack/smp/smp_utils.c b/stack/smp/smp_utils.c index da54fdfd8..94fd2a340 100644 --- a/stack/smp/smp_utils.c +++ b/stack/smp/smp_utils.c @@ -1465,23 +1465,23 @@ BOOLEAN smp_check_commitment(tSMP_CB *p_cb) *******************************************************************************/ void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb) { - tBTM_LE_LENC_KEYS lle_key; - tBTM_LE_PENC_KEYS ple_key; + tBTM_LE_KEY_VALUE lle_key; + tBTM_LE_KEY_VALUE ple_key; SMP_TRACE_DEBUG("%s-Save LTK as local LTK key", __func__); - memcpy(lle_key.ltk, p_cb->ltk, BT_OCTET16_LEN); - lle_key.div = 0; - lle_key.key_size = p_cb->loc_enc_size; - lle_key.sec_level = p_cb->sec_level; - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, (tBTM_LE_KEY_VALUE *)&lle_key, TRUE); + memcpy(lle_key.lenc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); + lle_key.lenc_key.div = 0; + lle_key.lenc_key.key_size = p_cb->loc_enc_size; + lle_key.lenc_key.sec_level = p_cb->sec_level; + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_LENC, &lle_key, TRUE); SMP_TRACE_DEBUG("%s-Save LTK as peer LTK key", __func__); - ple_key.ediv = 0; - memset(ple_key.rand, 0, BT_OCTET8_LEN); - memcpy(ple_key.ltk, p_cb->ltk, BT_OCTET16_LEN); - ple_key.sec_level = p_cb->sec_level; - ple_key.key_size = p_cb->loc_enc_size; - btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, (tBTM_LE_KEY_VALUE *)&ple_key, TRUE); + ple_key.penc_key.ediv = 0; + memset(ple_key.penc_key.rand, 0, BT_OCTET8_LEN); + memcpy(ple_key.penc_key.ltk, p_cb->ltk, BT_OCTET16_LEN); + ple_key.penc_key.sec_level = p_cb->sec_level; + ple_key.penc_key.key_size = p_cb->loc_enc_size; + btm_sec_save_le_key(p_cb->pairing_bda, BTM_LE_KEY_PENC, &ple_key, TRUE); } /******************************************************************************* |