diff options
Diffstat (limited to 'stack/sdp/sdp_server.c')
-rw-r--r-- | stack/sdp/sdp_server.c | 56 |
1 files changed, 37 insertions, 19 deletions
diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c index c9a214fc0..b7ef7ee99 100644 --- a/stack/sdp/sdp_server.c +++ b/stack/sdp/sdp_server.c @@ -23,7 +23,6 @@ * ******************************************************************************/ #include <cutils/log.h> - #include <stdlib.h> #include <string.h> #include <stdio.h> @@ -360,11 +359,25 @@ void sdp_server_handle_client_req (tCONN_CB *p_ccb, BT_HDR *p_msg) /* Start inactivity timer */ btu_start_timer (&p_ccb->timer_entry, BTU_TTYPE_SDP, SDP_INACT_TIMEOUT); + if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); + trans_num = 0; + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, + SDP_TEXT_BAD_HEADER); + } + /* The first byte in the message is the pdu type */ pdu_id = *p_req++; /* Extract the transaction number and parameter length */ BE_STREAM_TO_UINT16 (trans_num, p_req); + + if (p_req + sizeof(param_len) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, + SDP_TEXT_BAD_HEADER); + } + BE_STREAM_TO_UINT16 (param_len, p_req); if ((p_req + param_len) != p_req_end) @@ -429,19 +442,17 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, return; } - /* Get the max replies we can send. Cap it at our max anyways. */ - BE_STREAM_TO_UINT16 (max_replies, p_req); - - if (max_replies > SDP_MAX_RECORDS) - max_replies = SDP_MAX_RECORDS; - - - if ((!p_req) || (p_req > p_req_end)) + if (p_req + sizeof(max_replies) + sizeof(uint8_t) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_MAX_RECORDS_LIST); return; } + /* Get the max replies we can send. Cap it at our max anyways. */ + BE_STREAM_TO_UINT16 (max_replies, p_req); + if (max_replies > SDP_MAX_RECORDS) + max_replies = SDP_MAX_RECORDS; /* Get a list of handles that match the UUIDs given to us */ for (num_rsp_handles = 0; num_rsp_handles < max_replies; ) @@ -457,7 +468,8 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num, /* Check if this is a continuation request */ if (*p_req) { - if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(cont_offset) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); @@ -580,15 +592,16 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, BOOLEAN is_hfp_fallback = FALSE; UINT16 attr_len; - /* Extract the record handle */ - BE_STREAM_TO_UINT32 (rec_handle, p_req); - - if (p_req > p_req_end) + if (p_req + sizeof(rec_handle) + sizeof(max_list_len) > p_req_end) { + android_errorWriteLog(0x534e4554, "69384124"); sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_SERV_REC_HDL, SDP_TEXT_BAD_HANDLE); return; } + /* Extract the record handle */ + BE_STREAM_TO_UINT32 (rec_handle, p_req); + /* Get the max list length we can send. Cap it at MTU size minus overhead */ BE_STREAM_TO_UINT16 (max_list_len, p_req); @@ -597,7 +610,8 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq); - if ((!p_req) || (!attr_seq.num_attr) || (p_req > p_req_end)) + if ((!p_req) || (!attr_seq.num_attr) || + (p_req + sizeof(uint8_t) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); return; @@ -634,7 +648,8 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, return; } - if (*p_req++ != SDP_CONTINUATION_LEN) + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(cont_offset) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return; @@ -922,7 +937,8 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, /* Extract the UUID sequence to search for */ p_req = sdpu_extract_uid_seq (p_req, param_len, &uid_seq); - if ((!p_req) || (!uid_seq.num_uids)) + if ((!p_req) || (!uid_seq.num_uids) || + (p_req + sizeof(uint16_t) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_UUID_LIST); return; @@ -936,7 +952,8 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, p_req = sdpu_extract_attr_seq (p_req, param_len, &attr_seq); - if ((!p_req) || (!attr_seq.num_attr)) + if ((!p_req) || (!attr_seq.num_attr) || + (p_req + sizeof(uint8_t) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX, SDP_TEXT_BAD_ATTR_LIST); return; @@ -967,7 +984,8 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num, return; } - if (*p_req++ != SDP_CONTINUATION_LEN) + if (*p_req++ != SDP_CONTINUATION_LEN || + (p_req + sizeof(uint16_t) > p_req_end)) { sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN); return; |