From 32bc56a6652bb8e88c32414d3a38758c7d2dbcf9 Mon Sep 17 00:00:00 2001
From: Marcin Kraglak <marcin.kraglak@tieto.com>
Date: Fri, 31 Oct 2014 09:52:00 +0100
Subject: [PATCH] shared/gatt: Fix incorrect data read

Data set in Find By Type Value response contains 4 octets,
2 for start handle and two for end group handle. Reading data
with offset 6 from end of pdu can cause illegal access.
---
 src/shared/gatt-helpers.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/shared/gatt-helpers.c b/src/shared/gatt-helpers.c
index d751d5a4b..6e19066d8 100644
--- a/src/shared/gatt-helpers.c
+++ b/src/shared/gatt-helpers.c
@@ -686,7 +686,13 @@ static void find_by_type_val_cb(uint8_t opcode, const void *pdu,
 		op->result_tail = cur_result;
 	}
 
-	last_end = get_le16(pdu + length - 6);
+	/*
+	 * Each data set contains:
+	 * 2 octets with start handle
+	 * 2 octets with end handle
+	 * last_end is end handle of last data set
+	 */
+	last_end = get_le16(pdu + length - 2);
 	if (last_end < op->end_handle) {
 		uint8_t pdu[6 + get_uuid_len(&op->uuid)];
 
-- 
2.47.3