From 43d653e56f5a71d971182aec8fe2d82b6ec163e7 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@tieto.com>
Date: Wed, 2 Apr 2014 13:55:15 +0200
Subject: [PATCH] android/hal-gatt: Add missing length checks for variable
 length events

---
 android/hal-gatt.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/android/hal-gatt.c b/android/hal-gatt.c
index b4512d49b..b928d64f0 100644
--- a/android/hal-gatt.c
+++ b/android/hal-gatt.c
@@ -17,6 +17,7 @@
 
 #include <stdbool.h>
 #include <string.h>
+#include <stdlib.h>
 
 #include "hal-log.h"
 #include "hal.h"
@@ -75,6 +76,11 @@ static void handle_scan_result(void *buf, uint16_t len)
 {
 	struct hal_ev_gatt_client_scan_result *ev = buf;
 
+	if (len != sizeof(*ev) + ev->len ) {
+		error("gatt: invalid scan result event, aborting");
+		exit(EXIT_FAILURE);
+	}
+
 	if (cbs->client->scan_result_cb)
 		cbs->client->scan_result_cb((bt_bdaddr_t *) ev->bda, ev->rssi,
 								ev->adv_data);
@@ -185,6 +191,11 @@ static void handle_notify(void *buf, uint16_t len)
 	struct hal_ev_gatt_client_notify *ev = buf;
 	btgatt_notify_params_t params;
 
+	if (len != sizeof(*ev) + ev->len ) {
+		error("gatt: invalid notify event, aborting");
+		exit(EXIT_FAILURE);
+	}
+
 	memset(&params, 0, sizeof(params));
 	memcpy(params.value, ev->value, ev->len);
 	memcpy(&params.bda, ev->bda, sizeof(params.bda));
@@ -204,6 +215,11 @@ static void handle_read_characteristic(void *buf, uint16_t len)
 	struct hal_ev_gatt_client_read_characteristic *ev = buf;
 	btgatt_read_params_t params;
 
+	if (len != sizeof(*ev) + ev->data.len ) {
+		error("gatt: invalid read characteristic event, aborting");
+		exit(EXIT_FAILURE);
+	}
+
 	memset(&params, 0, sizeof(params));
 
 	srvc_id_from_hal(&params.srvc_id, &ev->data.srvc_id);
@@ -244,6 +260,11 @@ static void handle_read_descriptor(void *buf, uint16_t len)
 	struct hal_ev_gatt_client_read_descriptor *ev = buf;
 	btgatt_read_params_t params;
 
+	if (len != sizeof(*ev) + ev->data.len ) {
+		error("gatt: invalid read descriptor event, aborting");
+		exit(EXIT_FAILURE);
+	}
+
 	memset(&params, 0, sizeof(params));
 
 	srvc_id_from_hal(&params.srvc_id, &ev->data.srvc_id);
@@ -413,6 +434,11 @@ static void handle_request_write(void *buf, uint16_t len)
 {
 	struct hal_ev_gatt_server_request_write *ev = buf;
 
+	if (len != sizeof(*ev) + ev->length ) {
+		error("gatt: invalid request write event, aborting");
+		exit(EXIT_FAILURE);
+	}
+
 	if (cbs->server->request_write_cb)
 		cbs->server->request_write_cb(ev->conn_id, ev->trans_id,
 						(bt_bdaddr_t *) ev->bdaddr,
-- 
2.47.3