From: Wootak Jung <wootak.jung@samsung.com>
Date: Fri, 7 Apr 2023 05:50:34 +0000 (+0900)
Subject: shared/gatt-server: Fix att length check logic
X-Git-Tag: accepted/tizen/unified/20230427.155828^0
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F57%2F291057%2F2;p=platform%2Fupstream%2Fbluez.git

shared/gatt-server: Fix att length check logic

Change-Id: Ia5d5e43d20ad952c5a993398ab8dea42529a6162
Signed-off-by: Wootak Jung <wootak.jung@samsung.com>
---

diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 714f217..9aed2ec 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -867,9 +867,18 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
 				handle);
 
+#if defined TIZEN_FEATURE_BLUEZ_MODIFY
+	/* Because the length includes handle 2bytes,
+	 * 'length - 2' should be delivered when checking att length
+	 */
+	ecode = check_length(length - 2, 0);
+	if (ecode)
+		goto error;
+#else
 	ecode = check_length(length, 0);
 	if (ecode)
 		goto error;
+#endif
 
 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)
@@ -1449,9 +1458,18 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
 	util_debug(server->debug_callback, server->debug_data,
 				"Prep Write Req - handle: 0x%04x", handle);
 
+#if defined TIZEN_FEATURE_BLUEZ_MODIFY
+	/* Because the length includes handle 2bytes and offset 2bytes,
+	 * 'length - 4' should be delivered when checking att length
+	 */
+	ecode = check_length(length - 4, offset);
+	if (ecode)
+		goto error;
+#else
 	ecode = check_length(length, offset);
 	if (ecode)
 		goto error;
+#endif
 
 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)