From 40f996c64afa28ddc0d9a081ba0fac3526d046b9 Mon Sep 17 00:00:00 2001 From: Sebastian Urban Date: Fri, 11 Jun 2021 14:30:21 +0200 Subject: [PATCH] gatt-client: Check length of notify multiple op Check that specfied length of value in received data does not exceed length of PDU. Otherwise data may be read from beyond the end of the buffer. --- src/shared/gatt-client.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c index 9511ea8ca..094922486 100644 --- a/src/shared/gatt-client.c +++ b/src/shared/gatt-client.c @@ -2173,6 +2173,9 @@ static void notify_cb(struct bt_att_chan *chan, uint8_t opcode, length -= 2; pdu += 2; + if (data.len > length) + data.len = length; + data.data = pdu; queue_foreach(client->notify_list, notify_handler, -- 2.47.3