Fix an OOB write bug in attp_build_read_by_type_value_cmd

Bug: 297524203 Test: m com.android.btservices Ignore-AOSP-First: security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:140c41e3553bc59fe97e3f5ee96c64e2251971e2) (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e9b40c3dfd81c3fa99b3f115135de7e2c356ece9) Merged-In: I2a95bbcce9a16ac84dd714eb4561428711a9872e Change-Id: I2a95bbcce9a16ac84dd714eb4561428711a9872e
realme-mt6781-dev · Dec 15, 2023 · 2d11abc · 2d11abc
1 parent 67241b7
commit 2d11abc
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/system/stack/gatt/att_protocol.cc b/system/stack/gatt/att_protocol.cc
@@ -165,7 +165,13 @@ static BT_HDR* attp_build_read_by_type_value_cmd(
     uint16_t payload_size, tGATT_FIND_TYPE_VALUE* p_value_type) {
   uint8_t* p;
   uint16_t len = p_value_type->value_len;
-  BT_HDR* p_buf =
+  BT_HDR* p_buf = nullptr;
+
+  if (payload_size < 5) {
+    return nullptr;
+  }
+
+  p_buf =
       (BT_HDR*)osi_malloc(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET);
 
   p = (uint8_t*)(p_buf + 1) + L2CAP_MIN_OFFSET;