diff options
author | Jakub Pawlowski <jpawlowski@google.com> | 2018-05-24 08:59:34 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-09-09 00:28:49 +0200 |
commit | 5c361430980998f0e0afa07e097b9478010ac3bf (patch) | |
tree | f182ab4d7fa12ab50efce53346f9fea255faa4ce | |
parent | 7d67bf35bc3b06e16c154ac8819841466f7fb135 (diff) | |
download | android_system_bt-5c361430980998f0e0afa07e097b9478010ac3bf.tar.gz android_system_bt-5c361430980998f0e0afa07e097b9478010ac3bf.tar.bz2 android_system_bt-5c361430980998f0e0afa07e097b9478010ac3bf.zip |
Add PDU size checks in process_service_search_attr_rsp
Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 980f6427b183e013958acd6b70e91f58177408a6)
-rw-r--r-- | stack/sdp/sdp_discovery.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index dee4595ac..5ec79b7d3 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -599,6 +599,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, /* If p_reply is NULL, we were called for the initial read */ if (p_reply) { + if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) > + p_reply_end) { + android_errorWriteLog(0x534e4554, "79884292"); + sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE); + return; + } + #if (SDP_DEBUG_RAW == TRUE) SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x", p_reply[0], p_reply[1], p_reply[2], p_reply[3]); @@ -622,6 +629,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d", p_ccb->list_len, lists_byte_count); #endif + + if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) { + android_errorWriteLog(0x534e4554, "79884292"); + sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE); + return; + } + if (p_ccb->rsp_list == NULL) { p_ccb->rsp_list = (UINT8 *)GKI_getbuf (SDP_MAX_LIST_BYTE_COUNT); |