RESTRICT AUTOMERGE: Fixes two bluetooth causing remote overreads (2/2)

Bug: 74075873
Test: manual
Change-Id: I9a7035a74aca3256c5712ea67a7435627b139c37
(cherry picked from commit 9d647b201b64949e04eade9b594af76c764dbb96)

1 files changed, 6 insertions, 1 deletions

diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 1aab8c110..dee4595ac 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -364,7 +364,7 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
 #if (SDP_RAW_DATA_INCLUDED == TRUE)
 static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
 {
-    unsigned int    cpy_len;
+    unsigned int    cpy_len, rem_len;
     UINT32          list_len;
     UINT8           *p;
     UINT8           type;
@@ -395,6 +395,11 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
         {
             cpy_len = list_len;
         }
+        rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
+        if (cpy_len > rem_len) {
+            SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
+            cpy_len = rem_len;
+        }
 #if (SDP_DEBUG_RAW == TRUE)
         SDP_TRACE_WARNING("list_len :%d cpy_len:%d raw_size:%d raw_used:%d",
             list_len, cpy_len, p_ccb->p_db->raw_size, p_ccb->p_db->raw_used);