Fix an OOB bug in parse_gap_data

Bug: 277590580 bug: 275553827 Test: atest net_test_main_shim Ignore-AOSP-First: security Tag: #security (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d7e3d8fd96389f1435b76f37064c69ae61df6e7) Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f
author: Hui Peng <phui@google.com> 2023-08-21 10:40:17 -0700
committer: Julian Veit <claymore1298@gmail.com> 2023-12-06 13:30:19 +0100
commit: 40dcf0dcda721240410059fa4fac5881f466d66f (patch)
tree: ac95cfd6bc4021b2a2137bc60c33e99c205b6ae1
parent: 61182f4274541fd95f5c9f69ef383553842783d3 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/system/main/shim/utils.cc b/system/main/shim/utils.cc
index dcf1725beb..9f18ddc4f7 100644
--- a/system/main/shim/utils.cc
+++ b/system/main/shim/utils.cc
@@ -25,6 +25,10 @@ void parse_gap_data(const std::vector<uint8_t> &raw_data,
       hci::GapData gap_data;
       uint8_t len = raw_data[offset];
 
+      if (offset + len + 1 > raw_data.size()) {
+        break;
+      }
+
       auto begin = raw_data.begin() + offset;
       auto end = begin + len + 1;  // 1 byte for len
       auto data_copy = std::make_shared<std::vector<uint8_t>>(begin, end);
author	Hui Peng <phui@google.com>	2023-08-21 10:40:17 -0700
committer	Julian Veit <claymore1298@gmail.com>	2023-12-06 13:30:19 +0100
commit	40dcf0dcda721240410059fa4fac5881f466d66f (patch)
tree	ac95cfd6bc4021b2a2137bc60c33e99c205b6ae1
parent	61182f4274541fd95f5c9f69ef383553842783d3 (diff)