diff options
| author | Myles Watson <mylesgw@google.com> | 2018-01-11 20:43:47 -0800 |
|---|---|---|
| committer | Tim Schumacher <timschumi@gmx.de> | 2018-03-30 14:34:12 +0200 |
| commit | 52e32aca33db1d5057c2330bd2bd6aebf4f11c3b (patch) | |
| tree | 116d66921a13f3e859cc46c1b53765ce39f8b1ca /stack | |
| parent | 30b7a8208b7be560ff0d86b6cde42fcc54a466f3 (diff) | |
| download | android_system_bt-52e32aca33db1d5057c2330bd2bd6aebf4f11c3b.tar.gz android_system_bt-52e32aca33db1d5057c2330bd2bd6aebf4f11c3b.tar.bz2 android_system_bt-52e32aca33db1d5057c2330bd2bd6aebf4f11c3b.zip | |
SDP: Include the offset in sdp_disc_server_rsp
The commit
SDP: Pass the bounds to process_service_*_rsp
with the change ID
Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
omitted the offset when calculating the end of the message.
Bug: 68161546
Test: Connect a headset
Change-Id: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit 1ff9151b7de9cff6aab3919d151542e7244cc0e5)
Merged-In: I6266b51e3871ed6ce9932161e4ab66de90af4ce6
(cherry picked from commit c379fc0f7a158e7028771bcf9dea19987f771a8e)
CVE-2017-13259
Diffstat (limited to 'stack')
| -rw-r--r-- | stack/sdp/sdp_discovery.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index fe48af462..ecbd4b254 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -245,7 +245,7 @@ void sdp_disc_server_rsp (tCONN_CB *p_ccb, BT_HDR *p_msg) /* Got a reply!! Check what we got back */ p = (UINT8 *)(p_msg + 1) + p_msg->offset; - UINT8 *p_end = (UINT8 *)(p_msg + 1) + p_msg->len; + UINT8 *p_end = p + p_msg->len; BE_STREAM_TO_UINT8 (rsp_pdu, p); |