Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 797daed7 authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Add negative length check in process_service_search_rsp 

Bug:225876506
Test: run supplied POC (updated to Android T)
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I0eb0f20eb03e6490ba6c20b3e79c97970c275d9e
parent abf5cee7

system/stack/sdp/sdp_discovery.cc

+1 −1
Original line number Diff line number Diff line
@@ -280,7 +280,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, 


  orig = p_ccb->num_handles;

  p_ccb->num_handles += cur_handles;

  if (p_ccb->num_handles == 0) {

  if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {

    SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches");

    sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);

    return;