Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0f98ddca authored by William Escande's avatar William Escande
Browse files

Fix Nullptr access in sdp 

Add null checker to prevent crash when malicious packet are sent

Bug: 227203684
Test: build
Ignore-AOSP-First: Secu fix
Change-Id: I00d9c3429f8aade40663d6003ff43816f123cbf2
parent 23e9b66c

system/stack/sdp/sdp_utils.cc

+7 −2
Original line number Diff line number Diff line
@@ -22,6 +22,9 @@ 
 *

 ******************************************************************************/



#include <base/logging.h>

#include <log/log.h>



#include <array>

#include <cstdint>

#include <cstring>
@@ -40,8 +43,6 @@ 
#include "types/bluetooth/uuid.h"

#include "types/raw_address.h"



#include <base/logging.h>



using bluetooth::Uuid;

static const uint8_t sdp_base_uuid[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00,

                                        0x10, 0x00, 0x80, 0x00, 0x00, 0x80,
@@ -126,6 +127,10 @@ static uint16_t sdpu_find_most_specific_service_uuid(tSDP_DISC_REC* p_rec) { 
    if (p_attr->attr_id == ATTR_ID_SERVICE_CLASS_ID_LIST &&

        SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == DATA_ELE_SEQ_DESC_TYPE) {

      tSDP_DISC_ATTR* p_first_attr = p_attr->attr_value.v.p_sub_attr;

      if (p_first_attr == nullptr) {

        android_errorWriteLog(0x534e4554, "227203684");

        return 0;

      }

      if (SDP_DISC_ATTR_TYPE(p_first_attr->attr_len_type) == UUID_DESC_TYPE &&

          SDP_DISC_ATTR_LEN(p_first_attr->attr_len_type) == 2) {

        return p_first_attr->attr_value.v.u16;