Add PDU size checks in process_service_search_attr_rsp

Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)

1 files changed, 14 insertions, 0 deletions

diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index dee4595ac..5ec79b7d3 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -599,6 +599,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
     /* If p_reply is NULL, we were called for the initial read */
     if (p_reply)
     {
+    if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+        p_reply_end) {
+        android_errorWriteLog(0x534e4554, "79884292");
+        sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+        return;
+    }
+
 #if (SDP_DEBUG_RAW == TRUE)
         SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
             p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
@@ -622,6 +629,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
         SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
             p_ccb->list_len, lists_byte_count);
 #endif
+
+        if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+            android_errorWriteLog(0x534e4554, "79884292");
+            sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+            return;
+        }
+
         if (p_ccb->rsp_list == NULL)
         {
             p_ccb->rsp_list = (UINT8 *)GKI_getbuf (SDP_MAX_LIST_BYTE_COUNT);