Check that specfied length of value in received data does not exceed length of PDU. Otherwise data may be read from beyond the end of the buffer. --- src/shared/gatt-client.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c index 9511ea8ca..094922486 100644 --- a/src/shared/gatt-client.c +++ b/src/shared/gatt-client.c @@ -2173,6 +2173,9 @@ static void notify_cb(struct bt_att_chan *chan, uint8_t opcode, length -= 2; pdu += 2; + if (data.len > length) + data.len = length; + data.data = pdu; queue_foreach(client->notify_list, notify_handler, -- 2.25.1
