diff options
author | Jakub Pawlowski <jpawlowski@google.com> | 2018-07-16 06:40:35 -0700 |
---|---|---|
committer | Tim Schumacher <timschumi@gmx.de> | 2018-11-18 07:45:39 +0000 |
commit | a9fd8465015a0e0ff8572749b44d7795f8045020 (patch) | |
tree | ad6815ebbb13ff2f498e5f434299de29de1c1bec | |
parent | 42b6e678ce790fb68de14c7302906e07bc09e15b (diff) | |
download | android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.gz android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.tar.bz2 android_system_bt-a9fd8465015a0e0ff8572749b44d7795f8045020.zip |
Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
(cherry picked from commit 23aa15743397b345f3d948289fe90efa2a2e2b3e)
-rw-r--r-- | stack/sdp/sdp_discovery.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 5ec79b7d3..49a5b2934 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -388,8 +388,16 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) if(offset) { + cpy_len -= 1; type = *p++; + uint8_t* old_p = p; p = sdpu_get_len_from_type (p, type, &list_len); + if ((int)cpy_len < (p - old_p)) + { + SDP_TRACE_WARNING("%s: no bytes left for data", __func__); + return; + } + cpy_len -= (p - old_p); } if(list_len < cpy_len) { |