Add PDU size checks in process_service_search_attr_rsp (63967b14) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/sdp/sdp_discovery.c

+14 −0

Original line number	Diff line number	Diff line
		@@ -585,6 +585,13 @@ static void process_service_search_attr_rsp(tCONN_CB p_ccb, UINT8 p_reply,
		/* If p_reply is NULL, we were called for the initial read */
		if (p_reply)
		{
		if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
		p_reply_end) {
		android_errorWriteLog(0x534e4554, "79884292");
		sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
		return;
		}

		#if (SDP_DEBUG_RAW == TRUE)
		SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
		p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
		@@ -608,6 +615,13 @@ static void process_service_search_attr_rsp(tCONN_CB p_ccb, UINT8 p_reply,
		SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
		p_ccb->list_len, lists_byte_count);
		#endif

		if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
		android_errorWriteLog(0x534e4554, "79884292");
		sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
		return;
		}

		if (p_ccb->rsp_list == NULL)
		{
		p_ccb->rsp_list = (UINT8 *)GKI_getbuf (SDP_MAX_LIST_BYTE_COUNT);