DO NOT MERGE: AdapterService: Check the PIN code length before using
The length is assigned by the framework. We should be better to check
again before using, and dropped any unexcepted input.
Bug: 139287605
Test: PoC
Change-Id: Ie2dd01e0b192e7ed1fe4b464618ddfa415dbf15c
diff --git a/src/com/android/bluetooth/btservice/AdapterService.java b/src/com/android/bluetooth/btservice/AdapterService.java
index 9d8cde9..8a4c856 100644
--- a/src/com/android/bluetooth/btservice/AdapterService.java
+++ b/src/com/android/bluetooth/btservice/AdapterService.java
@@ -1989,6 +1989,12 @@
return false;
}
+ if (pinCode.length != len) {
+ android.util.EventLog.writeEvent(0x534e4554, "139287605", -1,
+ "PIN code length mismatch");
+ return false;
+ }
+
byte[] addr = Utils.getBytesFromAddress(device.getAddress());
return pinReplyNative(addr, accept, len, pinCode);
}
@@ -2000,6 +2006,12 @@
return false;
}
+ if (passkey.length != len) {
+ android.util.EventLog.writeEvent(0x534e4554, "139287605", -1,
+ "Passkey length mismatch");
+ return false;
+ }
+
byte[] addr = Utils.getBytesFromAddress(device.getAddress());
return sspReplyNative(addr, AbstractionLayer.BT_SSP_VARIANT_PASSKEY_ENTRY, accept,
Utils.byteArrayToInt(passkey));