Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4832e302 authored by Hui Peng's avatar Hui Peng
Browse files

Add validation on attr type and size in a2dp_api.cc 

Bug: 263958603
Test: atest net_test_stack_a2dp_native
Ignore-AOSP-First: security
Tag: #security
Change-Id: I938467ca4f4b130cd8b4c544096127e679391c06
parent 2fba665a

system/stack/a2dp/a2dp_api.cc

+24 −5
Original line number Original line Diff line number Diff line
@@ -95,21 +95,40 @@ static void a2dp_sdp_cback(UNUSED_ATTR const RawAddress& bd_addr, 
      /* get service name */

      /* get service name */

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

               p_rec, ATTR_ID_SERVICE_NAME)) != NULL) {

               p_rec, ATTR_ID_SERVICE_NAME)) != NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

          a2dp_svc.p_service_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.p_service_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.service_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

          a2dp_svc.service_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

        } else {

          LOG_ERROR("ATTR_ID_SERVICE_NAME attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_SERVICE_NAME attr not found!!");

      }

      }





      /* get provider name */

      /* get provider name */

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

               p_rec, ATTR_ID_PROVIDER_NAME)) != NULL) {

               p_rec, ATTR_ID_PROVIDER_NAME)) != NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == TEXT_STR_DESC_TYPE) {

          a2dp_svc.p_provider_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.p_provider_name = (char*)p_attr->attr_value.v.array;

          a2dp_svc.provider_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

          a2dp_svc.provider_len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type);

        } else {

          LOG_ERROR("ATTR_ID_PROVIDER_NAME attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_PROVIDER_NAME attr not found!!");

      }

      }





      /* get supported features */

      /* get supported features */

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

      if ((p_attr = get_legacy_stack_sdp_api()->record.SDP_FindAttributeInRec(

               p_rec, ATTR_ID_SUPPORTED_FEATURES)) != NULL) {

               p_rec, ATTR_ID_SUPPORTED_FEATURES)) != NULL) {

        if (SDP_DISC_ATTR_TYPE(p_attr->attr_len_type) == UINT_DESC_TYPE &&

            SDP_DISC_ATTR_LEN(p_attr->attr_len_type) == 2) {

          a2dp_svc.features = p_attr->attr_value.v.u16;

          a2dp_svc.features = p_attr->attr_value.v.u16;

        } else {

          LOG_ERROR("ATTR_ID_SUPPORTED_FEATURES attr type not STR!!");

        }

      } else {

        LOG_ERROR("ATTR_ID_SUPPORTED_FEATURES attr not found!!");

      }

      }





      /* get AVDTP version */

      /* get AVDTP version */