From b3e71b7d3a4caec6b6c958ad387a8a05466422ef Mon Sep 17 00:00:00 2001
From: Wootak Jung <wootak.jung@samsung.com>
Date: Fri, 7 Apr 2023 14:50:34 +0900
Subject: [PATCH] shared/gatt-server: Fix att length check logic

Change-Id: Ia5d5e43d20ad952c5a993398ab8dea42529a6162
Signed-off-by: Wootak Jung <wootak.jung@samsung.com>
---
 src/shared/gatt-server.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 714f217..9aed2ec 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -867,9 +867,18 @@ static void write_cb(struct bt_att_chan *chan, uint8_t opcode, const void *pdu,
 				(opcode == BT_ATT_OP_WRITE_REQ) ? "Req" : "Cmd",
 				handle);
 
+#if defined TIZEN_FEATURE_BLUEZ_MODIFY
+	/* Because the length includes handle 2bytes,
+	 * 'length - 2' should be delivered when checking att length
+	 */
+	ecode = check_length(length - 2, 0);
+	if (ecode)
+		goto error;
+#else
 	ecode = check_length(length, 0);
 	if (ecode)
 		goto error;
+#endif
 
 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)
@@ -1449,9 +1458,18 @@ static void prep_write_cb(struct bt_att_chan *chan, uint8_t opcode,
 	util_debug(server->debug_callback, server->debug_data,
 				"Prep Write Req - handle: 0x%04x", handle);
 
+#if defined TIZEN_FEATURE_BLUEZ_MODIFY
+	/* Because the length includes handle 2bytes and offset 2bytes,
+	 * 'length - 4' should be delivered when checking att length
+	 */
+	ecode = check_length(length - 4, offset);
+	if (ecode)
+		goto error;
+#else
 	ecode = check_length(length, offset);
 	if (ecode)
 		goto error;
+#endif
 
 	ecode = check_permissions(server, attr, BT_ATT_PERM_WRITE_MASK);
 	if (ecode)
-- 
2.7.4