system/bt
| リビジョン | b7f8f4d38ae634b9a30c4481c3a907e17a173c61 (tree) |
|---|---|
| 日時 | 2020-04-10 05:45:17 |
| 作者 | Jakub Pawlowski <jpawlowski@goog...> |
| コミッター | Anis Assi |
Fix potential stack overflow caused by integer overflow
Bug: 151155194
Merged-In: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
Change-Id: I0655b0b62301f78cd8705cc7b0e4fc11522f00ca
(cherry picked from commit 1570b62c88d7c5b9c6bfe43da8cc16ea30d3e8df)
stack/smp/smp_cmac.cc (diff)| @@ -278,7 +278,8 @@ static bool cmac_generate_subkey(BT_OCTET16 key) { | ||
| 278 | 278 | ******************************************************************************/ |
| 279 | 279 | bool aes_cipher_msg_auth_code(BT_OCTET16 key, uint8_t* input, uint16_t length, |
| 280 | 280 | uint16_t tlen, uint8_t* p_signature) { |
| 281 | - uint16_t len, diff; | |
| 281 | + uint32_t len; | |
| 282 | + uint16_t diff; | |
| 282 | 283 | uint16_t n = (length + BT_OCTET16_LEN - 1) / |
| 283 | 284 | BT_OCTET16_LEN; /* n is number of rounds */ |
| 284 | 285 | bool ret = false; |
Fork