Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix integer overflow in build_read_multi_rsp
Local variables tracking structure size in build_read_multi_rsp are of uint16 type but accept a full uint16 range from function arguments while appending a fixed-length offset. This can lead to an integer overflow and unexpected behavior. Change the locals to size_t, and add a check during reasssignment. Bug: 273966636 Test: atest bluetooth_test_gd_unit, net_test_stack_btm Tag: #security Ignore-AOSP-First: Security (cherry picked from commit 70a4d62) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:badb8ffce06b517cbcfdbfa68cb7b7e02d22494a) Merged-In: I3a74bdb0d003cb6bf4f282615be8c68836676715 Change-Id: I3a74bdb0d003cb6bf4f282615be8c68836676715
- Loading branch information