diff options
author | Andre Eisenbach <eisenbach@google.com> | 2017-08-08 15:41:21 -0700 |
---|---|---|
committer | Ivan Kutepov <its.kutepov@gmail.com> | 2017-11-10 22:20:36 +0300 |
commit | 38fc1c195f7c51878efab42426a01b89d48f093c (patch) | |
tree | 494f22742e5e5eeefec087880832328e3c1dccfa | |
parent | dc14b3fcab08d9b411b44e7af91b7c7a47d7661d (diff) | |
download | android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.gz android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.bz2 android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.zip |
SDP: Bounds check 'id' parameter for free_sdp_slot()replicant-6.0-0003
Test: manual
Fixes: 37502513
Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7
CVE-2017-0842
-rw-r--r-- | btif/src/btif_sdp_server.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/btif/src/btif_sdp_server.c b/btif/src/btif_sdp_server.c index 526586901..bac359656 100644 --- a/btif/src/btif_sdp_server.c +++ b/btif/src/btif_sdp_server.c @@ -215,7 +215,8 @@ static int alloc_sdp_slot(bluetooth_sdp_record* in_record) { static int free_sdp_slot(int id) { int handle = -1; bluetooth_sdp_record* record = NULL; - if(id >= MAX_SDP_SLOTS) { + if (id < 0 || id >= MAX_SDP_SLOTS) { + android_errorWriteLog(0x534e4554, "37502513"); APPL_TRACE_ERROR("%s() failed - id %d is invalid", __func__, id); return handle; } |