Skip to content

Commit

Permalink
Fix UAF in gatt_cl.cc
Browse files Browse the repository at this point in the history 
gatt_cl.cc accesses a header field after the buffer holding it may have
been freed.

Track the relevant state as a local variable instead.

Bug: 274617156
Test: atest: bluetooth, validated against fuzzer
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:cbaa83627b328eee8f2e26188909a5ebfb0388d5)
Merged-In: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
Change-Id: I085ecfa1a9ba098ecbfecbd3cb3e263ae13f9724
  • Loading branch information
@thestinger
Brian Delwiche authored and thestinger committed Sep 6, 2023
1 parent 89fb17d commit 14aed24
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion system/stack/gatt/gatt_cl.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -609,12 +609,17 @@ void gatt_process_prep_write_rsp(tGATT_TCB& tcb, tGATT_CLCB* p_clcb,

memcpy(value.value, p, value.len);

bool subtype_is_write_prepare = (p_clcb->op_subtype == GATT_WRITE_PREPARE);

if (!gatt_check_write_long_terminate(tcb, p_clcb, &value)) {
gatt_send_prepare_write(tcb, p_clcb);
return;
}

if (p_clcb->op_subtype == GATT_WRITE_PREPARE) {
// We now know that we have not terminated, or else we would have returned
// early. We free the buffer only if the subtype is not equal to
// GATT_WRITE_PREPARE, so checking here is adequate to prevent UAF.
if (subtype_is_write_prepare) {
/* application should verify handle offset
and value are matched or not */
gatt_end_operation(p_clcb, p_clcb->status, &value);
Expand Down

0 comments on commit 14aed24

Please sign in to comment.