Fix an OOB bug in btif_to_bta_response and attp_build_value_cmd
1. The size of `p_src->attr_value.value` is dependent on
`p_src->attr_value.len`. While copying `p_src->attr_value.value`,
to `p_dest->attr_value.value`, it always copies GATT_MAX_ATTR_LEN
bytes, it may result in OOB read in `p_src->attr_value.value`;
2. As the `p_dest->attr_value.len` does not map the length of
`p_dest->attr_value.value`, it may result in OOB read in
attp_build_value_cmd;
Bug: 276898739
Test: manual
Tag: #security
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:59c9e84bd31d4935a875d588bf4d2cc5bfb07d59)
Merged-In: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
Change-Id: Iefa66f3a293ac2072ba79853a9ec23cdfe4c1368
diff --git a/system/btif/src/btif_gatt_util.cc b/system/btif/src/btif_gatt_util.cc
index 290c431..404dc6a 100644
--- a/system/btif/src/btif_gatt_util.cc
+++ b/system/btif/src/btif_gatt_util.cc
@@ -18,6 +18,8 @@
#define LOG_TAG "bt_btif_gatt"
+#include <algorithm>
+
#include "btif_gatt_util.h"
#include <errno.h>
@@ -51,9 +53,9 @@
void btif_to_bta_response(tGATTS_RSP* p_dest, btgatt_response_t* p_src) {
p_dest->attr_value.auth_req = p_src->attr_value.auth_req;
p_dest->attr_value.handle = p_src->attr_value.handle;
- p_dest->attr_value.len = p_src->attr_value.len;
+ p_dest->attr_value.len = std::min<uint16_t>(p_src->attr_value.len, GATT_MAX_ATTR_LEN);
p_dest->attr_value.offset = p_src->attr_value.offset;
- memcpy(p_dest->attr_value.value, p_src->attr_value.value, GATT_MAX_ATTR_LEN);
+ memcpy(p_dest->attr_value.value, p_src->attr_value.value, p_dest->attr_value.len);
}
/*******************************************************************************