diff options
author | akirilov <akirilov@google.com> | 2018-05-21 11:45:55 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-08-08 21:50:44 +0200 |
commit | a924846623f320051ee92d1e5b0ee67c36cdfc16 (patch) | |
tree | f07fa85e938d3b72aed71e6883773f9b809e2b3a | |
parent | 8dd65f3fc5779e6eb129647abdd2b11fcabf8f08 (diff) | |
download | android_system_bt-a924846623f320051ee92d1e5b0ee67c36cdfc16.tar.gz android_system_bt-a924846623f320051ee92d1e5b0ee67c36cdfc16.tar.bz2 android_system_bt-a924846623f320051ee92d1e5b0ee67c36cdfc16.zip |
RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)
Bug: 74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit 9d647b201b64949e04eade9b594af76c764dbb96)
-rw-r--r-- | stack/sdp/sdp_discovery.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 1aab8c110..dee4595ac 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -364,7 +364,7 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, #if (SDP_RAW_DATA_INCLUDED == TRUE) static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) { - unsigned int cpy_len; + unsigned int cpy_len, rem_len; UINT32 list_len; UINT8 *p; UINT8 type; @@ -395,6 +395,11 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) { cpy_len = list_len; } + rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]); + if (cpy_len > rem_len) { + SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len); + cpy_len = rem_len; + } #if (SDP_DEBUG_RAW == TRUE) SDP_TRACE_WARNING("list_len :%d cpy_len:%d raw_size:%d raw_used:%d", list_len, cpy_len, p_ccb->p_db->raw_size, p_ccb->p_db->raw_used); |