SDP: return error on offset bigger than atribute length

Test: none Bug: 79217770 Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998 (cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)
author: Jakub Pawlowski <jpawlowski@google.com> 2018-06-22 04:46:39 -0700
committer: Tim Schumacher <timschumi@gmx.de> 2018-10-22 21:09:13 +0200
commit: ec2257b71588275be62cca468d679f13f4c47e8b (patch)
tree: d8cf0882d0b5cfdba154c1cff13914e500d002c3
parent: 334f1ad0deb38c4b865270c513e8228171fd5bcc (diff)
download: android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.tar.gz
android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.tar.bz2
android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index 3ed9299a0..e07bb5444 100644
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -743,6 +743,13 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
             /* if there is a partial attribute pending to be sent */
             if (p_ccb->cont_info.attr_offset)
             {
+                if (attr_len < p_ccb->cont_info.attr_offset) {
+                    android_errorWriteLog(0x534e4554, "79217770");
+                    SDP_TRACE_ERROR("offset is bigger than attribute length");
+                    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                            SDP_TEXT_BAD_CONT_LEN);
+                    return;
+                }
                 p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                          &p_ccb->cont_info.attr_offset);
 
@@ -1098,6 +1105,13 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
                 /* if there is a partial attribute pending to be sent */
                 if (p_ccb->cont_info.attr_offset)
                 {
+                    if (attr_len < p_ccb->cont_info.attr_offset) {
+                        android_errorWriteLog(0x534e4554, "79217770");
+                        SDP_TRACE_ERROR("offset is bigger than attribute length");
+                        sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                                SDP_TEXT_BAD_CONT_LEN);
+                        return;
+                    }
                     p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                              &p_ccb->cont_info.attr_offset);
author	Jakub Pawlowski <jpawlowski@google.com>	2018-06-22 04:46:39 -0700
committer	Tim Schumacher <timschumi@gmx.de>	2018-10-22 21:09:13 +0200
commit	ec2257b71588275be62cca468d679f13f4c47e8b (patch)
tree	d8cf0882d0b5cfdba154c1cff13914e500d002c3
parent	334f1ad0deb38c4b865270c513e8228171fd5bcc (diff)
download	android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.tar.gz android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.tar.bz2 android_system_bt-ec2257b71588275be62cca468d679f13f4c47e8b.zip