Fix a security issue in sdp_server.cc am: db169d7e1a am: 6f02e4d51c am:... (a28ecf8b) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/sdp/sdp_server.cc

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -116,9 +116,11 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) {

	if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) {		if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) {
	android_errorWriteLog(0x534e4554, "69384124");		android_errorWriteLog(0x534e4554, "69384124");
			android_errorWriteLog(0x534e4554, "169342531");
	trans_num = 0;		trans_num = 0;
	sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,		sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
	SDP_TEXT_BAD_HEADER);		SDP_TEXT_BAD_HEADER);
			return;
	}		}

	/* The first byte in the message is the pdu type */		/* The first byte in the message is the pdu type */
	@@ -129,8 +131,10 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) {

	if (p_req + sizeof(param_len) > p_req_end) {		if (p_req + sizeof(param_len) > p_req_end) {
	android_errorWriteLog(0x534e4554, "69384124");		android_errorWriteLog(0x534e4554, "69384124");
			android_errorWriteLog(0x534e4554, "169342531");
	sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,		sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,
	SDP_TEXT_BAD_HEADER);		SDP_TEXT_BAD_HEADER);
			return;
	}		}

	BE_STREAM_TO_UINT16(param_len, p_req);		BE_STREAM_TO_UINT16(param_len, p_req);