SDP: Bounds check 'id' parameter for free_sdp_slot()replicant-6.0-0003

Test: manual Fixes: 37502513 Change-Id: I34e8296ec7ec6b4ffbe1fa0452754f2a421e6ec7 CVE-2017-0842
author: Andre Eisenbach <eisenbach@google.com> 2017-08-08 15:41:21 -0700
committer: Ivan Kutepov <its.kutepov@gmail.com> 2017-11-10 22:20:36 +0300
commit: 38fc1c195f7c51878efab42426a01b89d48f093c (patch)
tree: 494f22742e5e5eeefec087880832328e3c1dccfa
parent: dc14b3fcab08d9b411b44e7af91b7c7a47d7661d (diff)
download: android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.gz
android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.bz2
android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/btif/src/btif_sdp_server.c b/btif/src/btif_sdp_server.c
index 526586901..bac359656 100644
--- a/btif/src/btif_sdp_server.c
+++ b/btif/src/btif_sdp_server.c
@@ -215,7 +215,8 @@ static int alloc_sdp_slot(bluetooth_sdp_record* in_record) {
 static int free_sdp_slot(int id) {
     int handle = -1;
     bluetooth_sdp_record* record = NULL;
-    if(id >= MAX_SDP_SLOTS) {
+    if (id < 0 || id >= MAX_SDP_SLOTS) {
+        android_errorWriteLog(0x534e4554, "37502513");
         APPL_TRACE_ERROR("%s() failed - id %d is invalid", __func__, id);
         return handle;
     }
author	Andre Eisenbach <eisenbach@google.com>	2017-08-08 15:41:21 -0700
committer	Ivan Kutepov <its.kutepov@gmail.com>	2017-11-10 22:20:36 +0300
commit	38fc1c195f7c51878efab42426a01b89d48f093c (patch)
tree	494f22742e5e5eeefec087880832328e3c1dccfa
parent	dc14b3fcab08d9b411b44e7af91b7c7a47d7661d (diff)
download	android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.gz android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.tar.bz2 android_system_bt-38fc1c195f7c51878efab42426a01b89d48f093c.zip