diff options
author | Hansong Zhang <hsz@google.com> | 2018-04-02 10:05:56 -0700 |
---|---|---|
committer | MSe <mse1969@posteo.de> | 2018-06-08 17:53:30 +0200 |
commit | 89bf05696888d0accec19ec49f2066b1dc99611f (patch) | |
tree | 0ca321b239cc46f2cf92ed66c46e0f65b3306b26 | |
parent | a490759d3569efe6e94bef306865a4f8e01b3656 (diff) | |
download | android_system_bt-89bf05696888d0accec19ec49f2066b1dc99611f.tar.gz android_system_bt-89bf05696888d0accec19ec49f2066b1dc99611f.tar.bz2 android_system_bt-89bf05696888d0accec19ec49f2066b1dc99611f.zip |
DO NOT MERGE Fix unexpected behavior in bta_dm_sdp_result
Check the number of UUIDs from remote device
Bug: 74016921
Test: manual
Change-Id: I1ca1f66bfc935f5fd219e8147511bdac7d2789ef
(cherry picked from commit 67ec216daa43f71adf103de6c4156c5a892c1460)
CVE-2018-9355
-rw-r--r-- | bta/dm/bta_dm_act.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c index 49a7c5a1f..addc3087f 100644 --- a/bta/dm/bta_dm_act.c +++ b/bta/dm/bta_dm_act.c @@ -23,6 +23,7 @@ * ******************************************************************************/ +#include <cutils/log.h> #include "bt_target.h" #include "bt_types.h" #include "gki.h" @@ -46,6 +47,8 @@ #include "gap_api.h" #endif +#define BTA_MAX_SERVICES 32 + static void bta_dm_inq_results_cb (tBTM_INQ_RESULTS *p_inq, UINT8 *p_eir); static void bta_dm_inq_cmpl_cb (void * p_result); static void bta_dm_service_search_remname_cback (BD_ADDR bd_addr, DEV_CLASS dc, BD_NAME bd_name); @@ -1634,7 +1637,7 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data) #endif UINT32 num_uuids = 0; - UINT8 uuid_list[32][MAX_UUID_SIZE]; // assuming a max of 32 services + UINT8 uuid_list[BTA_MAX_SERVICES][MAX_UUID_SIZE]; // assuming a max of 32 services if((p_data->sdp_event.sdp_result == SDP_SUCCESS) || (p_data->sdp_event.sdp_result == SDP_NO_RECS_MATCH) @@ -1713,8 +1716,12 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data) (tBTA_SERVICE_MASK)(BTA_SERVICE_ID_TO_SERVICE_MASK(bta_dm_search_cb.service_index-1)); tmp_svc = bta_service_id_to_uuid_lkup_tbl[bta_dm_search_cb.service_index-1]; /* Add to the list of UUIDs */ - sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]); - num_uuids++; + if (num_uuids < BTA_MAX_SERVICES) { + sdpu_uuid16_to_uuid128(tmp_svc, uuid_list[num_uuids]); + num_uuids++; + } else { + android_errorWriteLog(0x534e4554, "74016921"); + } } } } @@ -1756,8 +1763,12 @@ void bta_dm_sdp_result (tBTA_DM_MSG *p_data) { if (SDP_FindServiceUUIDInRec_128bit(p_sdp_rec, &temp_uuid)) { - memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE); - num_uuids++; + if (num_uuids < BTA_MAX_SERVICES) { + memcpy(uuid_list[num_uuids], temp_uuid.uu.uuid128, MAX_UUID_SIZE); + num_uuids++; + } else { + android_errorWriteLog(0x534e4554, "74016921"); + } } } } while (p_sdp_rec); |