Merge "Fix potential use after free in pan_api.cc" into tm-dev

commit: 003c3d2765b0aa48bb474f1970df4310869aaf57 [log] [tgz]
author: Brian Delwiche <delwiche@google.com> Mon Apr 03 20:21:18 2023 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Mon Apr 03 20:21:18 2023 +0000
tree: 9c63867312ccb639b5f489f55439735930a45df3
parent: bdcc9b8a2814a8f1833d2395fd993930cd2e2d80 [diff]
parent: f4bd0731fcaa851f6fb7ea49389313e9398501a9 [diff]
diff --git a/system/stack/pan/pan_api.cc b/system/stack/pan/pan_api.cc
index 40b26a3..3989dac 100644
--- a/system/stack/pan/pan_api.cc
+++ b/system/stack/pan/pan_api.cc

@@ -509,6 +509,12 @@
       return PAN_FAILURE;
     }
 
+    /* There are cases where BNAP_WriteBuf alters p_buf->len.  However,
+     * the octets being handled are only used later by PAN for logging
+     * purposes, and for those purposes this length is arguably correct --
+     * it is the number of bytes handled at the PAN level. */
+    uint16_t bytes = p_buf->len;
+
     result =
         BNEP_WriteBuf(pan_cb.pcb[i].handle, dst, p_buf, protocol, &src, ext);
     if (result == BNEP_IGNORE_CMD) {
@@ -519,7 +525,7 @@
       return (tPAN_RESULT)result;
     }
 
-    pan_cb.pcb[i].write.octets += p_buf->len;
+    pan_cb.pcb[i].write.octets += bytes;
     pan_cb.pcb[i].write.packets++;
 
     PAN_TRACE_DEBUG("PAN successfully wrote data for the PANU connection");
commit	003c3d2765b0aa48bb474f1970df4310869aaf57	[log] [tgz]
author	Brian Delwiche <delwiche@google.com>	Mon Apr 03 20:21:18 2023 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Mon Apr 03 20:21:18 2023 +0000
tree	9c63867312ccb639b5f489f55439735930a45df3
parent	bdcc9b8a2814a8f1833d2395fd993930cd2e2d80 [diff]
parent	f4bd0731fcaa851f6fb7ea49389313e9398501a9 [diff]