Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5fb5a2b9 authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

SDP: return error on offset bigger than atribute length 

Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
parent c8854042

system/stack/sdp/sdp_server.cc

+14 −0
Original line number Diff line number Diff line
@@ -423,6 +423,13 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, 
      attr_len = sdpu_get_attrib_entry_len(p_attr);

      /* if there is a partial attribute pending to be sent */

      if (p_ccb->cont_info.attr_offset) {

        if (attr_len < p_ccb->cont_info.attr_offset) {

          android_errorWriteLog(0x534e4554, "79217770");

          LOG(ERROR) << "offset is bigger than attribute length";

          sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,

                                  SDP_TEXT_BAD_CONT_LEN);

          return;

        }

        p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len,

                                                &p_ccb->cont_info.attr_offset);
@@ -663,6 +670,13 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, 
        attr_len = sdpu_get_attrib_entry_len(p_attr);

        /* if there is a partial attribute pending to be sent */

        if (p_ccb->cont_info.attr_offset) {

          if (attr_len < p_ccb->cont_info.attr_offset) {

            android_errorWriteLog(0x534e4554, "79217770");

            LOG(ERROR) << "offset is bigger than attribute length";

            sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,

                                    SDP_TEXT_BAD_CONT_LEN);

            return;

          }

          p_rsp = sdpu_build_partial_attrib_entry(

              p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset);