summaryrefslogtreecommitdiffstats
path: root/stack/sdp/sdp_discovery.c
diff options
context:
space:
mode:
Diffstat (limited to 'stack/sdp/sdp_discovery.c')
-rw-r--r--stack/sdp/sdp_discovery.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index dee4595ac..5ec79b7d3 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -599,6 +599,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
/* If p_reply is NULL, we were called for the initial read */
if (p_reply)
{
+ if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+ p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
@@ -622,6 +629,13 @@ static void process_service_search_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply,
SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
p_ccb->list_len, lists_byte_count);
#endif
+
+ if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
if (p_ccb->rsp_list == NULL)
{
p_ccb->rsp_list = (UINT8 *)GKI_getbuf (SDP_MAX_LIST_BYTE_COUNT);
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-11 04:15:53 +0000