Loading system/bta/hf_client/bta_hf_client_sdp.cc +13 −0 Original line number Diff line number Diff line Loading @@ -324,6 +324,19 @@ void bta_hf_client_do_disc(tBTA_HF_CLIENT_CB* client_cb) { uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE); } /* If we already have a non-null discovery database at this point, we can get * into a race condition leading to UAF once this connection is closed. * This should only happen with malicious modifications to a client. */ if (client_cb->p_disc_db != NULL) { APPL_TRACE_ERROR( "Tried to set up a HF client with a preexisting discovery database."); client_cb->p_disc_db = NULL; // We manually set the state here because it's possible to call this from an // OPEN state, in which case the discovery fail event will be ignored. client_cb->state = 0; // BTA_HF_CLIENT_INIT_ST return; } /* allocate buffer for sdp database */ client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); Loading system/stack/sdp/sdp_discovery.cc +9 −0 Original line number Diff line number Diff line Loading @@ -604,6 +604,15 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, uint8_t* p; uint16_t bytes_left = SDP_DATA_BUF_SIZE; /* If we don't have a valid discovery database, we can't do anything. */ if (p_ccb->p_db == NULL) { SDP_TRACE_WARNING( "Attempted continuation or first time request with invalid discovery " "database"); sdp_disconnect(p_ccb, tSDP_STATUS::SDP_INVALID_CONT_STATE); return; } p_msg->offset = L2CAP_MIN_OFFSET; p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET; Loading Loading
system/bta/hf_client/bta_hf_client_sdp.cc +13 −0 Original line number Diff line number Diff line Loading @@ -324,6 +324,19 @@ void bta_hf_client_do_disc(tBTA_HF_CLIENT_CB* client_cb) { uuid_list[0] = Uuid::From16Bit(UUID_SERVCLASS_AG_HANDSFREE); } /* If we already have a non-null discovery database at this point, we can get * into a race condition leading to UAF once this connection is closed. * This should only happen with malicious modifications to a client. */ if (client_cb->p_disc_db != NULL) { APPL_TRACE_ERROR( "Tried to set up a HF client with a preexisting discovery database."); client_cb->p_disc_db = NULL; // We manually set the state here because it's possible to call this from an // OPEN state, in which case the discovery fail event will be ignored. client_cb->state = 0; // BTA_HF_CLIENT_INIT_ST return; } /* allocate buffer for sdp database */ client_cb->p_disc_db = (tSDP_DISCOVERY_DB*)osi_malloc(BT_DEFAULT_BUFFER_SIZE); Loading
system/stack/sdp/sdp_discovery.cc +9 −0 Original line number Diff line number Diff line Loading @@ -604,6 +604,15 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, uint8_t* p; uint16_t bytes_left = SDP_DATA_BUF_SIZE; /* If we don't have a valid discovery database, we can't do anything. */ if (p_ccb->p_db == NULL) { SDP_TRACE_WARNING( "Attempted continuation or first time request with invalid discovery " "database"); sdp_disconnect(p_ccb, tSDP_STATUS::SDP_INVALID_CONT_STATE); return; } p_msg->offset = L2CAP_MIN_OFFSET; p = p_start = (uint8_t*)(p_msg + 1) + L2CAP_MIN_OFFSET; Loading
